WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA. Fixes ZD 18470. Improved smallstack (eliminated `WOLFTPM2_MAX_BUFFER`). Fixes for building with NO_ASN.

pull/371/head
David Garske 2024-08-19 09:55:15 -07:00
parent f1ce2d268f
commit 026c82f799
32 changed files with 752 additions and 359 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
.github/workflows/make-test-swtpm.yml vendored
View File

@ -12,10 +12,10 @@ jobs:
runs-on: ubuntu-latest
steps:
#pull wolfTPM
# pull wolfTPM
- uses: actions/checkout@master
#setup wolfssl
# setup wolfssl
- uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
@ -28,9 +28,11 @@ jobs:
run: ./configure --enable-wolftpm --enable-pkcallbacks
- name: wolfssl make install
working-directory: ./wolfssl
run: sudo make install
run: |
make
sudo make install
#setup ibmswtpm2
# setup ibmswtpm2
- uses: actions/checkout@master
with:
repository: kgoldman/ibmswtpm2
@ -41,7 +43,7 @@ jobs:
make
./tpm_server &
#setup and test defaults (with simulator)
# setup and test defaults (with simulator)
- name: autogen
run: ./autogen.sh
- name: configure
@ -74,7 +76,7 @@ jobs:
run: |
LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll
#test no wolfcrypt
# test no wolfcrypt
- name: configure no wolfCrypt
run: ./configure --enable-swtpm --disable-wolfcrypt
- name: make no wolfCrypt
@ -82,9 +84,9 @@ jobs:
- name: make check no wolfCrypt
run: |
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
#test no wrapper
# test no wrapper
- name: configure no wrapper
run: ./configure --enable-swtpm --disable-wrapper
- name: make no wrapper
@ -138,10 +140,52 @@ jobs:
- name: make pedantic
run: make
# test without ECC
- name: wolfssl no ECC
working-directory: ./wolfssl
run: |
./configure --enable-wolftpm --disable-ecc
make
sudo make install
- name: wolftpm no ECC
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh
# test without RSA
- name: wolfssl no RSA
working-directory: ./wolfssl
run: |
./configure --enable-wolftpm --disable-rsa
make
sudo make install
- name: wolftpm no RSA
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh
# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen)
- name: wolfssl default configure
working-directory: ./wolfssl
run: |
./configure CFLAGS="-DWOLFSSL_PUBLIC_MP"
make
sudo make install
- name: wolftpm default configure
run: |
./configure --enable-swtpm
make
make check
WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh
# capture logs on failure
- name: Upload failure logs
if: failure()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolftpm-test-logs
path: |

0
IDE/IAR-EWARM/source/main.c 100755 → 100644
View File

0
IDE/IAR-EWARM/source/tpm_main.c 100755 → 100644
View File

15
IDE/QNX/README.md
View File

@ -41,9 +41,8 @@ Here is a template:
/* Reduce stack use */
#define MAX_COMMAND_SIZE 1024
#define MAX_RESPONSE_SIZE 1024
#define WOLFTPM2_MAX_BUFFER 1500
#define MAX_DIGEST_BUFFER 973
#define MAX_RESPONSE_SIZE 1350
#define MAX_DIGEST_BUFFER 896
/* Debugging */
#if 1
@ -113,7 +112,7 @@ Edit the following QNX BSP files:
@@ -442,7 +442,7 @@ static void xzynq_setup(xzynq_spi_t *dev, uint32_t device)
spi_debug1("%s: CONFIG_SPI_REG = 0x%x", __func__, dev->ctrl[id]);
#endif
- if(dev->fcs) {
+ if(dev->fcs || (devlist[id].cfg.mode & SPI_MODE_MAN_CS)) {
out32(base + XZYNQ_SPI_CR_OFFSET, dev->ctrl[id] | XZYNQ_SPI_CR_MAN_CS);
@ -122,7 +121,7 @@ Edit the following QNX BSP files:
@@ -621,7 +621,7 @@ void *xzynq_xfer(void *hdl, uint32_t device, uint8_t *buf, int *len)
reset = 1;
}
- if(!dev->fcs) {
+ if(!dev->fcs && !(devlist[id].cfg.mode & SPI_MODE_MAN_CS)) {
xzynq_spi_slave_select(dev, id, 0);
@ -135,12 +134,12 @@ Edit the following QNX BSP files:
@@ -72,6 +73,16 @@ int xzynq_cfg(void *hdl, spi_cfg_t *cfg, int cs)
/* Enable ModeFail generation */
ctrl |= XZYNQ_SPI_CR_MFAIL_EN;
+ if (cfg->mode & SPI_MODE_MAN_CS)
+ ctrl |= XZYNQ_SPI_CR_MAN_CS; /* enable manual CS mode */
+
+ if (cfg->mode & SPI_MODE_CLEAR_CS) {
+ /* make sure all chip selects are de-asserted */
+ /* make sure all chip selects are de-asserted */
+ /* set all CS bits high to de-assert */
+ out32(base + XZYNQ_SPI_CR_OFFSET,
+ in32(base + XZYNQ_SPI_CR_OFFSET) | XZYNQ_SPI_CR_CS);
@ -156,7 +155,7 @@ Edit the following QNX BSP files:
#define SPI_MODE_IDLE_INSERT (1 << 16)
+#define SPI_MODE_MAN_CS (1 << 17) /* Manual Chip select */
+#define SPI_MODE_CLEAR_CS (1 << 18) /* Clear all chip selects (used with SPI_MODE_MAN_CS) */
#define SPI_MODE_LOCKED (1 << 31) /* The device is locked by another client */
```

2
configure.ac
View File

@ -355,7 +355,7 @@ then
# Reduces max packet and buffer sizes to 1024 bytes
# RSA KeyGen AES response is 1329 MAX_RESPONSE_SIZE
AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973"
AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DMAX_DIGEST_BUFFER=896"
# If parameter encryption is not used then maximum session count is one
if test "x$ENABLED_WOLFCRYPT" = "xno"

6
examples/bench/bench.c
View File

@ -269,8 +269,12 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storageKey;
#ifdef NO_RSA
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

6
examples/boot/secret_seal.c
View File

@ -64,7 +64,7 @@ static void usage(void)
}
/* Load Key Public Info */
#if !defined(NO_FILESYSTEM)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
TPM_ALG_ID alg, const char* file)
{
@ -99,7 +99,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
}
return rc;
}
#endif /* !NO_FILESYSTEM */
#endif /* !NO_FILESYSTEM && !NO_ASN */
int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
{
@ -232,7 +232,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
else if (alg == TPM_ALG_ECC)
publicKeyFile = "./certs/example-ecc256-key-pub.der";
}
#if !defined(NO_FILESYSTEM)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
/* Policy Authorization */
if (policyFile) {
policyDigestSz = (word32)sizeof(policyDigest);

6
examples/boot/secret_unseal.c
View File

@ -62,7 +62,7 @@ static void usage(void)
}
/* Load Key Public Info */
#if !defined(NO_FILESYSTEM)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
TPM_ALG_ID alg, const char* file)
{
@ -103,7 +103,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
}
return rc;
}
#endif /* !NO_FILESYSTEM */
#endif /* !NO_FILESYSTEM && !NO_ASN */
int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
{
@ -251,7 +251,7 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
printHexString(policyDigest, policyDigestSz, policyDigestSz);
/* Load external public key and signature */
#if !defined(NO_FILESYSTEM)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
/* Policy Authorization Signature */
if (pcrSigFile) {
sigSz = (word32)sizeof(sig);

1
examples/boot/secure_rot.c
View File

@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&parent, 0, sizeof(parent));
XMEMSET(authBuf, 0, sizeof(authBuf));
XMEMSET(digest, 0, sizeof(digest));
XMEMSET(&nv, 0, sizeof(nv));
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||

18
examples/endorsement/get_ek_certs.c
View File

@ -107,7 +107,7 @@ static void show_ek_public(const TPM2B_PUBLIC* pub)
}
}
#ifndef WOLFTPM2_NO_WOLFCRYPT
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
static int compare_ek_public(const TPM2B_PUBLIC* ekpub,
const TPM2B_PUBLIC* certpub)
{
@ -154,7 +154,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
uint32_t certSz;
TPMT_PUBLIC publicTemplate;
word32 nvIndex;
#ifndef WOLFTPM2_NO_WOLFCRYPT
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
#ifndef WOLFCRYPT_ONLY
int i;
WOLFSSL_CERT_MANAGER* cm = NULL;
@ -196,7 +196,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
rc = 0;
printf("Found %d TCG handles\n", handles.count);
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) && \
!defined(NO_ASN)
/* load trusted certificates to cert manager */
certSz = 0;
cm = wolfSSL_CertManagerNew();
@ -208,12 +209,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
WOLFSSL_FILETYPE_PEM);
if (rc == WOLFSSL_SUCCESS) {
certSz++;
rc = 0;
}
else {
printf("Warning: Failed to load trusted PEM at index %d\n", i);
printf("Warning: Failed to load trusted PEM at index %d. "
"Error %s (rc %d)\n", i, TPM2_GetRCString(rc), rc);
/* not fatal, continue loading trusted certs */
}
rc = 0; /* reset return code */
}
printf("Loaded %d trusted certificates\n", certSz);
}
@ -272,7 +274,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
show_ek_public(&endorse.pub);
}
#ifndef WOLFTPM2_NO_WOLFCRYPT
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
if (rc == 0) {
/* Attempt to parse certificate */
printf("Parsing certificate (%d bytes)\n", certSz);
@ -376,7 +378,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
}
#endif /* WOLFSSL_DER_TO_PEM */
}
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_ASN */
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
XMEMSET(&endorse, 0, sizeof(endorse));
@ -384,7 +386,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
exit:
#ifndef WOLFTPM2_NO_WOLFCRYPT
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
#ifdef WOLFSSL_DER_TO_PEM
XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

4
examples/keygen/external_import.c
View File

@ -172,6 +172,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
printf("Import Seed %d\n", seedValue.size);
TPM2_PrintBin(seedValue.buffer, seedValue.size);
#ifndef NO_ASN
rc = wolfTPM2_ImportPrivateKeyBuffer(&dev, &storage, TPM_ALG_RSA, key2,
ENCODING_TYPE_PEM, extRSAPrivatePem, (word32)strlen(extRSAPrivatePem),
NULL, attributes, seedValue.buffer, seedValue.size);
@ -179,6 +180,9 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
printf("wolfTPM2_ImportPrivateKeyBuffer failed import\n");
goto exit;
}
#else
(void)attributes;
#endif
rc = wolfTPM2_LoadKey(&dev, key2, &primary->handle);
if (rc != 0) {

26
examples/keygen/keygen.c
View File

@ -127,6 +127,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEYBLOB primaryBlob; /* Primary key as WOLFTPM2_KEYBLOB */
TPMT_PUBLIC publicTemplate;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* default, see usage() for options */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID algSym = TPM_ALG_CTR; /* default Symmetric Cipher, see usage */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
@ -142,7 +143,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
const char *pubFilename = NULL;
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
const char *pemFilename = NULL;
#endif
#endif
@ -220,6 +221,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
XMEMSET(&auth, 0, sizeof(auth));
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
printf("TPM2.0 Key generation example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
@ -227,6 +231,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
printf("\t\t %s mode, %d keybits\n", symMode, keyBits);
}
printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -237,16 +242,12 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
if (endorseKey) {
/* endorsement is always RSA */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */
pubFilename = ekPubFile;
primary = &endorse;
}
else {
/* SRK: Use RSA or ECC SRK only. Prefer ECC */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
pubFilename = srkPubFile;
primary = &storage;
@ -254,8 +255,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = primary;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("HMAC Session: Handle 0x%x\n",
@ -404,7 +414,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
/* Save EK public key as PEM format file to the disk */
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && \
!defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
!defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
if (pemFiles) {
byte pem[MAX_RSA_KEY_BYTES];
word32 pemSz;

42
examples/keygen/keyimport.c
View File

@ -69,7 +69,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storage; /* SRK */
WOLFTPM2_KEYBLOB impKey;
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA, srkAlg; /* TPM_ALG_ECC */
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
const char* outputFile = "keyblob.bin";
@ -98,6 +99,9 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
alg = TPM_ALG_ECC;
}
else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
alg = TPM_ALG_RSA;
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}
@ -137,9 +141,13 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
XMEMSET(&impKey, 0, sizeof(impKey));
XMEMSET(&tpmSession, 0, sizeof(tpmSession));
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
printf("TPM2.0 Key Import example\n");
printf("\tKey Blob: %s\n", outputFile);
printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
printf("\tpassword: %s\n", password);
@ -149,24 +157,24 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
goto exit;
}
srkAlg = alg;
#if defined(HAVE_ECC) && !defined(WOLFSSL_PUBLIC_MP)
if (srkAlg == TPM_ALG_ECC && paramEncAlg != TPM_ALG_NULL) {
/* ECC encrypt requires mp_ API's */
printf("Parameter encryption with ECC SRK support not available, "
"using RSA SRK\n");
srkAlg = TPM_ALG_RSA;
}
#endif
/* get SRK */
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
if (rc != 0) goto exit;
if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storage;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter
* encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@ -191,7 +199,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_noDA);
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && !defined(NO_ASN)
if (impFile != NULL) {
printf("Loading %s%s key file: %s\n",
encType == ENCODING_TYPE_PEM ? "PEM" : "DER",
@ -202,7 +210,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
if (isPublicKey) {
rc = wolfTPM2_ImportPublicKeyBuffer(&dev,
alg,
(WOLFTPM2_KEY*)&impKey,
(WOLFTPM2_KEY*)&impKey,
encType,
(const char*)buf, (word32)bufSz,
attributes
@ -219,6 +227,12 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
);
}
}
#if defined(NO_RSA) || !defined(HAVE_ECC)
if (rc == NOT_COMPILED_IN) {
printf("Feature not compiled in! Skipping test\n");
rc = 0; /* allowing error */
}
#endif
}
else
#else

28
examples/keygen/keyload.c
View File

@ -66,12 +66,15 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
WOLFTPM2_KEY *primary = NULL;
WOLFTPM2_KEYBLOB newKey;
WOLFTPM2_KEY persistKey;
TPM_ALG_ID alg;
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
WOLFTPM2_SESSION tpmSession;
const char* inputFile = "keyblob.bin";
int persistent = 0;
int endorseKey = 0;
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
XSTRCMP(argv[1], "-h") == 0 ||
@ -129,18 +132,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
goto exit;
#endif
alg = newKey.pub.publicArea.type;
if (alg == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
printf("Loading %s key\n", TPM2_GetAlgName(alg));
if (endorseKey) {
/* endorsement is always RSA */
rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
if (rc != 0) goto exit;
endorse.handle.policyAuth = 1;
primary = &endorse;
}
else {
/* SRK: Use RSA or ECC SRK only. Prefer ECC */
TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
if (newKey.pub.publicArea.type == TPM_ALG_RSA)
srkAlg = TPM_ALG_RSA;
rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
if (rc != 0) goto exit;
primary = &storage;
@ -154,11 +158,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
if (rc != 0) goto exit;
}
if (paramEncAlg != TPM_ALG_NULL) {
else if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storage;
#ifndef HAVE_ECC
if (srkAlg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (srkAlg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter
* encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

8
examples/nvram/store.c
View File

@ -79,6 +79,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX;
byte* auth = (byte*)gNvAuth;
word32 authSz = (word32)sizeof(gNvAuth)-1;
word32 nvSize;
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
@ -171,12 +172,17 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;
/* Estimate size of NV */
nvSize =
keyBlob.pub.size + sizeof(keyBlob.pub.size) + sizeof(UINT16) +
keyBlob.priv.size + sizeof(keyBlob.priv.size) + sizeof(UINT16);
/* Try and open existing NV */
rc = wolfTPM2_NVOpen(&dev, &nv, nvIndex, auth, authSz);
if (rc != 0) {
/* In not found try create using wolfTPM2 wrapper for NV_Define */
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, auth, authSz);
nvAttributes, nvSize, auth, authSz);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
}

24
examples/pcr/policy_sign.c
View File

@ -133,7 +133,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
}
}
if (rc == 0 && alg == TPM_ALG_RSA) {
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(NO_ASN)
rc = wc_InitRsaKey(&key.rsa, NULL);
if (rc == 0) {
byte encHash[WC_MAX_DIGEST_SIZE + WC_MAX_ENCODED_DIG_ASN_SZ];
@ -173,7 +173,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
#endif
}
else if (rc == 0 && alg == TPM_ALG_ECC) {
#if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP)
#if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP) && !defined(NO_ASN)
rc = wc_ecc_init(&key.ecc);
if (rc == 0) {
word32 idx = 0;
@ -203,6 +203,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
wc_ecc_free(&key.ecc);
}
#else
(void)hashAlg;
rc = NOT_COMPILED_IN;
#endif
}
@ -212,6 +213,12 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wc_FreeRng(&rng);
(void)hash;
(void)hashSz;
(void)sig;
(void)sigSz;
(void)authPubKey;
if (rc != 0) {
printf("Policy Sign with external key failed %d\n", rc);
}
@ -302,6 +309,19 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[])
printf("Sign PCR Policy Example\n");
#ifndef HAVE_ECC
if (alg == TPM_ALG_ECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (alg == TPM_ALG_RSA) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif
/* Setup PCR's */
if (pcrArraySz == 0) {
pcrArray[pcrArraySz] = TPM2_DEMO_PCR_INDEX;

11
examples/pcr/quote.c
View File

@ -145,8 +145,17 @@ int TPM2_PCR_Quote_Test(void* userCtx, int argc, char *argv[])
(word32)aik.handle.hndl, aik.pub.size);
if (paramEncAlg != TPM_ALG_NULL) {
void* bindKey = &storage;
#ifndef HAVE_ECC
if (alg == TPM_ALG_ECC)
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
#ifdef NO_RSA
if (alg == TPM_ALG_RSA)
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
/* Start an authenticated session (salted / unbound) with parameter encryption */
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

72
examples/pkcs7/pkcs7.c
View File

@ -62,7 +62,7 @@
#ifdef ENABLE_PKCS7EX_EXAMPLE
/* Dummy Function to Get Data */
#define MY_DATA_CHUNKS WOLFTPM2_MAX_BUFFER
#define MY_DATA_CHUNKS MAX_DIGEST_BUFFER
#define MY_DATA_TOTAL (1024 * 1024) + 12 /* odd remainder for test */
static int GetMyData(byte* buffer, word32 bufSz, word32 offset)
{
@ -92,8 +92,9 @@ static int GetMyData(byte* buffer, word32 bufSz, word32 offset)
/* The wc_PKCS7_EncodeSignedData_ex and wc_PKCS7_VerifySignedData_ex functions
were added in this PR https://github.com/wolfSSL/wolfssl/pull/1780. */
static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert,
WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile)
static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId,
byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz,
int alg, enum wc_HashType hashType, const char* outFile)
{
int rc;
PKCS7 pkcs7;
@ -139,7 +140,7 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER*
/* Generate and verify PKCS#7 files containing data using TPM key */
rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId);
if (rc != 0) goto exit;
rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size);
rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz);
if (rc != 0) goto exit;
pkcs7.content = NULL; /* not used */
@ -149,8 +150,8 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER*
pkcs7.rng = wolfTPM2_GetRng(dev);
/* pass public key instead of private here. The PKCS7 will try a public
* key decode if using crypto callbacks */
pkcs7.privateKey = derPubKey->buffer;
pkcs7.privateKeySz = derPubKey->size;
pkcs7.privateKey = derPubKey;
pkcs7.privateKeySz = derPubKeySz;
outputHeadSz = (int)sizeof(outputHead);
outputFootSz = (int)sizeof(outputFoot);
@ -241,8 +242,9 @@ exit:
}
#endif /* ENABLE_PKCS7EX_EXAMPLE */
static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert,
WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile)
static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId,
byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz,
int alg, enum wc_HashType hashType, const char* outFile)
{
int rc;
PKCS7 pkcs7;
@ -258,7 +260,7 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de
/* Generate and verify PKCS#7 files containing data using TPM key */
rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId);
if (rc != 0) goto exit;
rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size);
rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz);
if (rc != 0) goto exit;
pkcs7.content = data;
@ -268,8 +270,8 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de
pkcs7.rng = wolfTPM2_GetRng(dev);
/* pass public key instead of private here. The PKCS7 will try a public
* key decode if using crypto callbacks */
pkcs7.privateKey = derPubKey->buffer;
pkcs7.privateKeySz = derPubKey->size;
pkcs7.privateKey = derPubKey;
pkcs7.privateKeySz = derPubKeySz;
rc = wc_PKCS7_EncodeSignedData(&pkcs7, output, sizeof(output));
if (rc <= 0) goto exit;
@ -339,8 +341,10 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
TPMT_PUBLIC publicTemplate;
TpmCryptoDevCtx tpmCtx;
int tpmDevId;
WOLFTPM2_BUFFER derCert;
WOLFTPM2_BUFFER derPubKey;
byte derCert[MAX_PKCS7_SIZE];
word32 derCertSz = 0;
byte derPubKey[MAX_PKCS7_SIZE];
word32 derPubKeySz;
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
XFILE derFile;
const char* inCert = NULL;
@ -387,12 +391,24 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
printf("TPM2 PKCS7 Example\n");
XMEMSET(&derCert, 0, sizeof(derCert));
XMEMSET(&derPubKey, 0, sizeof(derPubKey));
XMEMSET(&tpmKey, 0, sizeof(tpmKey));
XMEMSET(&storageKey, 0, sizeof(storageKey));
#ifndef HAVE_ECC
if (alg == TPM_ALG_ECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (alg == TPM_ALG_RSA) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
@ -475,35 +491,43 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
derFile = XFOPEN(inCert, "rb");
if (derFile != XBADFILE) {
XFSEEK(derFile, 0, XSEEK_END);
derCert.size = (int)XFTELL(derFile);
derCertSz = (int)XFTELL(derFile);
XREWIND(derFile);
if (derCert.size > (int)sizeof(derCert.buffer)) {
if (derCertSz > (int)sizeof(derCert)) {
rc = BUFFER_E;
}
else {
rc = (int)XFREAD(derCert.buffer, 1, derCert.size, derFile);
rc = (rc == derCert.size) ? 0 : -1;
rc = (int)XFREAD(derCert, 1, derCertSz, derFile);
rc = (rc == (int)derCertSz) ? 0 : -1;
}
XFCLOSE(derFile);
if (rc != 0) goto exit;
}
else {
printf("Failed to open %s\n", inCert);
rc = BAD_FUNC_ARG;
goto exit;
}
#else
rc = NOT_COMPILED_IN;
goto exit;
#endif
/* Export TPM public key as DER/ASN.1 (should match certificate) */
derPubKey.size = (int)sizeof(derPubKey.buffer);
derPubKeySz = (int)sizeof(derPubKey);
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, &tpmKey,
ENCODING_TYPE_ASN1, derPubKey.buffer, (word32*)&derPubKey.size);
ENCODING_TYPE_ASN1, derPubKey, (word32*)&derPubKeySz);
if (rc != 0) goto exit;
/* PKCS 7 sign/verify example */
rc = PKCS7_SignVerify(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType,
outFile);
rc = PKCS7_SignVerify(&dev, tpmDevId, derCert, derCertSz, derPubKey,
derPubKeySz, alg, hashType, outFile);
if (rc != 0) goto exit;
#ifdef ENABLE_PKCS7EX_EXAMPLE
/* PKCS 7 large data sign/verify example */
rc = PKCS7_SignVerifyEx(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType,
outFileEx);
rc = PKCS7_SignVerifyEx(&dev, tpmDevId, derCert, derCertSz, derPubKey,
derPubKeySz, alg, hashType, outFileEx);
if (rc != 0) goto exit;
#endif

448
examples/run_examples.sh
View File

@ -10,6 +10,15 @@ fi
if [ -z "$WOLFCRYPT_ENABLE" ]; then
WOLFCRYPT_ENABLE=1
fi
if [ -z "$WOLFCRYPT_DEFAULT" ]; then
WOLFCRYPT_DEFAULT=0
fi
if [ -z "$WOLFCRYPT_ECC" ]; then
WOLFCRYPT_ECC=1
fi
if [ -z "$WOLFCRYPT_RSA" ]; then
WOLFCRYPT_RSA=1
fi
rm -f run.out
touch run.out
@ -100,41 +109,62 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1
./examples/keygen/keygen keyblob.bin -rsa -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc xor failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc xor failed! $RESULT" && exit 1
./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1
RESULT=$?
rm -f rsakeyblob.bin
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen rsa param enc aes failed! $RESULT" && exit 1
./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1
RESULT=$?
if [ $WOLFCRYPT_RSA -eq 1 ]; then
[ $RESULT -ne 0 ] && echo -e "keyload rsa param enc aes failed! $RESULT" && exit 1
./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload rsa load failed! $RESULT" && exit 1
rm -f rsakeyblob.bin
fi
fi
fi
# keeping keyblob.bin for later tests
./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out 2>&1
./examples/keygen/keygen eccblob.bin -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1
./examples/keygen/keyload eccblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/keygen/keygen eccblob.bin -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1
./examples/keygen/keyload eccblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ECC -eq 1 ]; then
./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keyload ecc load failed! $RESULT" && exit 1
rm -f ecckeyblob.bin
fi
fi
fi
rm -f ecckeyblob.bin
rm -f ececcblob.bin
./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out 2>&1
RESULT=$?
@ -173,12 +203,21 @@ fi
# NV Tests
echo -e "NV Tests"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/nvram/store -aes >> run.out 2>&1
./examples/nvram/store -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1
./examples/nvram/read -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1
./examples/nvram/read -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/nvram/store -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1
./examples/nvram/read -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/nvram/store -priv >> run.out 2>&1
RESULT=$?
@ -187,12 +226,21 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/nvram/store -priv -aes >> run.out 2>&1
./examples/nvram/store -priv -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1
./examples/nvram/read -priv -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1
./examples/nvram/read -priv -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/nvram/store -priv -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1
./examples/nvram/read -priv -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/nvram/store -pub >> run.out 2>&1
RESULT=$?
@ -217,7 +265,7 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/csr/csr -cert >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1
@ -236,7 +284,7 @@ fi
# PKCS7 Tests
echo -e "PKCS7 tests"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pkcs7/pkcs7 >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
@ -256,11 +304,11 @@ generate_port() {
echo -e "Using port $port" >> run.out 2>&1
}
run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as client) $1 $2"
run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversion]
echo -e "TLS test (TPM as client) $1 $2 $3"
generate_port
pushd $WOLFSSL_PATH >> run.out 2>&1
echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out &
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
@ -273,8 +321,8 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
[ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
}
run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
echo -e "TLS test (TPM as server) $1 $2"
run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversion]
echo -e "TLS test (TPM as server) $1 $2 $3"
generate_port
echo -e "./examples/tls/tls_server -p=$port -$1 $2"
@ -284,35 +332,61 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
pushd $WOLFSSL_PATH >> run.out 2>&1
sleep 0.1
echo -e "./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
popd >> run.out 2>&1
}
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
# Run with Crypto CB
run_tpm_tls_client "rsa" ""
run_tpm_tls_client "rsa" "-aes"
run_tpm_tls_client "ecc" ""
run_tpm_tls_client "ecc" "-aes"
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
if [ $WOLFCRYPT_RSA -eq 1 ]; then
# TLS client/server RSA TLS v1.2 and v1.2 Crypto callbacks
run_tpm_tls_client "rsa" "" "3"
run_tpm_tls_client "rsa" "-aes" "3"
run_tpm_tls_client "rsa" "" "4"
run_tpm_tls_client "rsa" "-aes" "4"
run_tpm_tls_server "rsa" ""
run_tpm_tls_server "rsa" "-aes"
run_tpm_tls_server "ecc" ""
run_tpm_tls_server "ecc" "-aes"
run_tpm_tls_server "rsa" "" "3"
run_tpm_tls_server "rsa" "-aes" "3"
run_tpm_tls_server "rsa" "" "4"
run_tpm_tls_server "rsa" "-aes" "4"
# Run with PK
run_tpm_tls_client "rsa" "-pk"
run_tpm_tls_client "rsa" "-pk -aes"
run_tpm_tls_client "ecc" "-pk"
run_tpm_tls_client "ecc" "-pk -aes"
# TLS client/server ECC TLS v1.2 and v1.2 PK callbacks
run_tpm_tls_client "rsa" "-pk" "3"
run_tpm_tls_client "rsa" "-pk -aes" "3"
run_tpm_tls_client "rsa" "-pk" "4"
run_tpm_tls_client "rsa" "-pk -aes" "4"
run_tpm_tls_server "rsa" "-pk "
run_tpm_tls_server "rsa" "-pk -aes"
run_tpm_tls_server "ecc" "-pk"
run_tpm_tls_server "ecc" "-pk -aes"
run_tpm_tls_server "rsa" "-pk " "3"
run_tpm_tls_server "rsa" "-pk -aes" "3"
run_tpm_tls_server "rsa" "-pk " "4"
run_tpm_tls_server "rsa" "-pk -aes" "4"
fi
if [ $WOLFCRYPT_ECC -eq 1 ]; then
# TLS client/server ECC TLS v1.2 and v1.2 Crypto callbacks
run_tpm_tls_client "ecc" "" "3"
run_tpm_tls_client "ecc" "-aes" "3"
run_tpm_tls_client "ecc" "" "4"
run_tpm_tls_client "ecc" "-aes" "4"
run_tpm_tls_server "ecc" "" "3"
run_tpm_tls_server "ecc" "-aes" "3"
run_tpm_tls_server "ecc" "" "4"
run_tpm_tls_server "ecc" "-aes" "4"
# TLS client/server ECC TLS v1.2 and v1.2 PK callbacks
run_tpm_tls_client "ecc" "-pk" "3"
run_tpm_tls_client "ecc" "-pk -aes" "3"
run_tpm_tls_client "ecc" "-pk" "4"
run_tpm_tls_client "ecc" "-pk -aes" "4"
run_tpm_tls_server "ecc" "-pk" "3"
run_tpm_tls_server "ecc" "-pk -aes" "3"
run_tpm_tls_server "ecc" "-pk" "4"
run_tpm_tls_server "ecc" "-pk -aes" "4"
fi
fi
@ -382,17 +456,29 @@ RESULT=$?
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1
./examples/pcr/quote 16 zip.quote -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc xor failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote param enc aes failed! $RESULT" && exit 1
fi
fi
./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1
./examples/pcr/quote 16 zip.quote -ecc -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc xor failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc aes failed! $RESULT" && exit 1
fi
fi
rm -f zip.quote
@ -403,14 +489,20 @@ echo -e "Benchmark tests"
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1
./examples/bench/bench -maxdur=25 -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "bench (XOR param enc) failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1
fi
fi
# Secure Boot ROT
echo -e "Secure Boot ROT (Root of Trust) test"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1
@ -455,19 +547,28 @@ RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
rm -f sealedkeyblob.bin
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_RSA -eq 1 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1
[ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
[ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1
if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
fi
rm -f sealedkeyblob.bin
fi
# Seal/Unseal (Policy auth)
echo -e "Seal/Unseal (Policy auth)"
if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
# Extend "aaa" to test PCR 16
echo aaa > aaa.bin
./examples/pcr/reset 16 >> run.out 2>&1
@ -477,121 +578,124 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1
# RSA
./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1
./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1
if [ $WOLFCRYPT_RSA -eq 1 ]; then
# RSA
./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1
./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1
# RSA (recreate policy auth using public key instead of using policyauth.bin)
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1
# RSA (recreate policy auth using public key instead of using policyauth.bin)
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1
# Test RSA Unseal Expected Failure Case
# Create different ECC policy key to test failure case
openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1
openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1
# Test RSA Unseal Expected Failure Case
# Create different ECC policy key to test failure case
openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1
openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1
# Sign policy using different private key
./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1
# Sign policy using different private key
./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1
# This RSA unseal should fail!
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1
# This RSA unseal should fail!
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1
rm -f tmp-rsa2048-key.pem
rm -f tmp-rsa2048-key-pub.der
rm -f pcrsig_fail.bin
rm -f tmp-rsa2048-key.pem
rm -f tmp-rsa2048-key-pub.der
rm -f pcrsig_fail.bin
fi
if [ $WOLFCRYPT_ECC -eq 1 ]; then
# ECC
./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1
./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1
# ECC
./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1
./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1
# ECC (recreate policy auth using public key instead of using policyauth.bin)
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1
# ECC (recreate policy auth using public key instead of using policyauth.bin)
TMPFILE=$(mktemp)
SECRET_STRING=`head -c 32 /dev/random | base64`
./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE
RESULT=$?
cat $TMPFILE >> run.out
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1
grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1
RESULT=$?
rm -f $TMPFILE
[ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1
# Test ECC Unseal Expected Failure Case
# Create different ECC policy key to test failure case
openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1
openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1
# Sign policy using different private key
./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1
# Test ECC Unseal Expected Failure Case
# Create different ECC policy key to test failure case
openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1
openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1
# This ECC unseal should fail!
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1
# Sign policy using different private key
./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1
# This ECC unseal should fail!
./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1
RESULT=$?
[ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1
rm -f tmp-ecc256-key.pem
rm -f tmp-ecc256-key-pub.der
rm -f pcrsig_fail.bin
rm -f tmp-ecc256-key.pem
rm -f tmp-ecc256-key-pub.der
rm -f pcrsig_fail.bin
fi
rm -f pcrsig.bin
rm -f policyauth.bin

5
examples/timestamp/signed_timestamp.c
View File

@ -46,7 +46,7 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n");
printf("./examples/timestamp/signed_timestamp [-ecc/-rsa] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC for SRK/AIK\n");
printf("* -aes/xor: Use Parameter Encryption\n");
}
@ -93,6 +93,9 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
alg = TPM_ALG_ECC;
}
else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
alg = TPM_ALG_RSA;
}
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
paramEncAlg = TPM_ALG_CFB;
}

29
examples/tls/tls_client.c
View File

@ -86,8 +86,9 @@
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC key\n");
printf("./examples/tls/tls_client [-ecc/rsa] [-aes/xor]\n");
printf("* -ecc: Use ECC key/cert\n");
printf("* -rsa: Use RSA key/cert\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
@ -195,6 +196,19 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
printf("\tUsing Port: %d\n", port);
printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");
#ifndef HAVE_ECC
if (useECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (!useECC) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) {
@ -394,7 +408,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export RSA public key!\n");

35
examples/tls/tls_common.h
View File

@ -386,6 +386,41 @@ static inline int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
return 1;
}
#ifndef NO_DH
/* dh2048 p */
static const unsigned char test_dh_p[] =
{
0xD3, 0xB2, 0x99, 0x84, 0x5C, 0x0A, 0x4C, 0xE7, 0x37, 0xCC, 0xFC, 0x18,
0x37, 0x01, 0x2F, 0x5D, 0xC1, 0x4C, 0xF4, 0x5C, 0xC9, 0x82, 0x8D, 0xB7,
0xF3, 0xD4, 0xA9, 0x8A, 0x9D, 0x34, 0xD7, 0x76, 0x57, 0xE5, 0xE5, 0xC3,
0xE5, 0x16, 0x85, 0xCA, 0x4D, 0xD6, 0x5B, 0xC1, 0xF8, 0xCF, 0x89, 0x26,
0xD0, 0x38, 0x8A, 0xEE, 0xF3, 0xCD, 0x33, 0xE5, 0x56, 0xBB, 0x90, 0x83,
0x9F, 0x97, 0x8E, 0x71, 0xFB, 0x27, 0xE4, 0x35, 0x15, 0x45, 0x86, 0x09,
0x71, 0xA8, 0x9A, 0xB9, 0x3E, 0x0F, 0x51, 0x8A, 0xC2, 0x75, 0x51, 0x23,
0x12, 0xFB, 0x94, 0x31, 0x44, 0xBF, 0xCE, 0xF6, 0xED, 0xA6, 0x3A, 0xB7,
0x92, 0xCE, 0x16, 0xA9, 0x14, 0xB3, 0x88, 0xB7, 0x13, 0x81, 0x71, 0x83,
0x88, 0xCD, 0xB1, 0xA2, 0x37, 0xE1, 0x59, 0x5C, 0xD0, 0xDC, 0xCA, 0x82,
0x87, 0xFA, 0x43, 0x44, 0xDD, 0x78, 0x3F, 0xCA, 0x27, 0x7E, 0xE1, 0x6B,
0x93, 0x19, 0x7C, 0xD9, 0xA6, 0x96, 0x47, 0x0D, 0x12, 0xC1, 0x13, 0xD7,
0xB9, 0x0A, 0x40, 0xD9, 0x1F, 0xFF, 0xB8, 0xB4, 0x00, 0xC8, 0xAA, 0x5E,
0xD2, 0x66, 0x4A, 0x05, 0x8E, 0x9E, 0xF5, 0x34, 0xE7, 0xD7, 0x09, 0x7B,
0x15, 0x49, 0x1D, 0x76, 0x31, 0xD6, 0x71, 0xEC, 0x13, 0x4E, 0x89, 0x8C,
0x09, 0x22, 0xD8, 0xE7, 0xA3, 0xE9, 0x7D, 0x21, 0x51, 0x26, 0x6E, 0x9F,
0x30, 0x8A, 0xBB, 0xBC, 0x74, 0xC1, 0xC3, 0x27, 0x6A, 0xCE, 0xA3, 0x12,
0x60, 0x68, 0x01, 0xD2, 0x34, 0x07, 0x80, 0xCC, 0x2D, 0x7F, 0x5C, 0xAE,
0xA2, 0x97, 0x40, 0xC8, 0x3C, 0xAC, 0xDB, 0x6F, 0xFE, 0x6C, 0x6D, 0xD2,
0x06, 0x1C, 0x43, 0xA2, 0xB2, 0x2B, 0x82, 0xB7, 0xD0, 0xAB, 0x3F, 0x2C,
0xE7, 0x9C, 0x19, 0x16, 0xD1, 0x5E, 0x26, 0x86, 0xC7, 0x92, 0xF9, 0x16,
0x0B, 0xFA, 0x66, 0x83
};
/* dh2048 g */
static const unsigned char test_dh_g[] =
{
0x02,
};
#endif /* !NO_DH */
/******************************************************************************/
/* --- END Supporting TLS functions --- */
/******************************************************************************/

37
examples/tls/tls_server.c
View File

@ -83,8 +83,9 @@ static int mStop = 0;
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n");
printf("* -ecc: Use RSA or ECC key\n");
printf("./examples/tls/tls_server [-ecc/rsa] [-aes/xor]\n");
printf("* -ecc: Use ECC key/cert\n");
printf("* -rsa: Use RSA key/cert\n");
printf("* -aes/xor: Use Parameter Encryption\n");
printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
#if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
@ -212,6 +213,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
printf("\tUsing Port: %d\n", port);
printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");
#ifndef HAVE_ECC
if (useECC) {
printf("ECC not compiled in!\n");
return 0; /* don't report error */
}
#endif
#ifdef NO_RSA
if (!useECC) {
printf("RSA not compiled in!\n");
return 0; /* don't report error */
}
#endif
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) {
@ -390,7 +404,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
@ -458,6 +481,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
}
#endif
#if !defined(NO_DH) && !defined(HAVE_ECC)
/* setup DHE option */
wolfSSL_CTX_SetTmpDH(ctx, test_dh_p, sizeof(test_dh_p), test_dh_g,
sizeof(test_dh_g));
#endif
printf("Waiting for client on port %d\n", port);
/* Setup socket and connection */
rc = SetupSocketAndListen(&sockIoCtx, port);
if (rc != 0) goto exit;

2
examples/tpm_test.h
View File

@ -44,7 +44,7 @@
#define TPM2_DEMO_NV_TEST_INDEX 0x01800200
#define TPM2_DEMO_NV_TEST_AUTH_INDEX 0x01800201
#define TPM2_DEMO_NVRAM_STORE_INDEX 0x01800202
#define TPM2_DEMO_NV_TEST_SIZE 1024 /* max size on Infineon SLB9670 is 1664 */
#define TPM2_DEMO_NV_TEST_SIZE MAX_DIGEST_BUFFER /* max size on Infineon SLB9670 is 1664 */
#define TPM2_DEMO_NV_COUNTER_INDEX 0x01800300
#define TPM2_DEMO_NV_SECURE_ROT_INDEX 0x01400200

2
examples/tpm_test_keys.c
View File

@ -422,7 +422,7 @@ int getECCkey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey, WOLFTPM2_KEY* key,
if (rc != 0) {
return rc;
}
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
if (pWolfEccKey) {
/* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
rc = wc_ecc_init_ex((ecc_key*)pWolfEccKey, NULL, tpmDevId);

78
examples/wrap/wrap_test.c
View File

@ -116,7 +116,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
#ifndef WOLFTPM2_NO_WOLFCRYPT
int tpmDevId = INVALID_DEVID;
#if defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(NO_ASN))
#if (defined(HAVE_ECC) || !defined(NO_RSA)) && !defined(NO_ASN)
word32 idx;
#endif
#ifndef NO_RSA
@ -267,7 +267,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
void* bindKey = &storageKey;
#ifdef NO_RSA
bindKey = NULL; /* cannot bind to key without RSA enabled */
#endif
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@ -434,7 +438,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
#else
rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */
/* Load raw RSA public key into TPM */
rc = wolfTPM2_LoadRsaPublicKey(&dev, &publicKey,
@ -459,24 +463,38 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
rc = wolfTPM2_RsaKey_WolfToTpm_ex(&dev, &storageKey, &wolfRsaPrivKey,
&rsaKey);
if (rc != 0) goto exit;
/* Use TPM Handle... */
wc_FreeRsaKey(&wolfRsaPrivKey);
if (rc != 0 && rc != NOT_COMPILED_IN) {
/* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for
* encrypting secrets */
goto exit;
}
printf("RSA Private Key Loaded into TPM: Handle 0x%x\n",
(word32)rsaKey.handle.hndl);
/* Use TPM Handle... */
rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */
/* Load raw RSA private key into TPM */
rc = wolfTPM2_LoadRsaPrivateKey(&dev, &storageKey, &rsaKey,
kRsaKeyPubModulus, (word32)sizeof(kRsaKeyPubModulus),
kRsaKeyPubExponent,
kRsaKeyPrivQ, (word32)sizeof(kRsaKeyPrivQ));
if (rc != 0) goto exit;
/* Use TPM Handle... */
printf("RSA Private Key Loaded into TPM: Handle 0x%x\n",
if (rc != 0 && rc != NOT_COMPILED_IN) {
/* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for
* encrypting secrets */
goto exit;
}
printf("RSA Private Key RAW Loaded into TPM: Handle 0x%x\n",
(word32)rsaKey.handle.hndl);
/* Use TPM Handle... */
rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */
/* Close TPM session based on RSA storage key */
wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
@ -529,7 +547,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
/* Start an authenticated session (salted / unbound) with parameter encryption */
if (paramEncAlg != TPM_ALG_NULL) {
rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
void* bindKey = &storageKey;
#ifndef HAVE_ECC
bindKey = NULL; /* cannot bind to key without ECC enabled */
#endif
rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
TPM_SE_HMAC, paramEncAlg);
if (rc != 0) goto exit;
printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@ -620,7 +642,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
/*------------------------------------------------------------------------*/
/* ECC KEY LOADING TESTS */
/*------------------------------------------------------------------------*/
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
/* Extract an ECC public key from TPM */
/* Setup wolf ECC key with TPM deviceID, so crypto callbacks
can be used for private operations */
@ -636,7 +658,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
if (rc != 0) goto exit;
/* Load ECC DER public key into TPM */
rc = wc_ecc_init(&wolfEccPubKey);
if (rc != 0) goto exit;
@ -653,7 +674,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
#else
rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */
#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */
/* Load raw ECC public key into TPM */
rc = wolfTPM2_LoadEccPublicKey(&dev, &publicKey, TPM_ECC_NIST_P256,
@ -666,7 +687,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle);
if (rc != 0) goto exit;
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
/* Load ECC DER Private Key into TPM */
rc = wc_ecc_init(&wolfEccPrivKey);
if (rc != 0) goto exit;
@ -676,15 +697,21 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
rc = wolfTPM2_EccKey_WolfToTpm_ex(&dev, &storageKey, &wolfEccPrivKey,
&eccKey);
wc_ecc_free(&wolfEccPrivKey);
if (rc != 0 && rc != NOT_COMPILED_IN) {
/* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
* exposing the mp_ math API's needed for encrypting secrets */
/* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
* exposing the mp_ math API's or AES CFB is not enabled.
* Both are needed for encrypting secrets */
goto exit;
}
printf("ECC Private Key Loaded into TPM: Handle 0x%x\n",
(word32)eccKey.handle.hndl);
/* Use TPM Handle... */
wc_ecc_free(&wolfEccPrivKey);
rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */
/* Load raw ECC private key into TPM */
rc = wolfTPM2_LoadEccPrivateKey(&dev, &storageKey, &eccKey, TPM_ECC_NIST_P256,
@ -692,16 +719,18 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
kEccKeyPubYRaw, (word32)sizeof(kEccKeyPubYRaw),
kEccKeyPrivD, (word32)sizeof(kEccKeyPrivD));
if (rc != 0 && rc != NOT_COMPILED_IN) {
/* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
* exposing the mp_ math API's needed for encrypting secrets */
/* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
* exposing the mp_ math API's or AES CFB is not enabled.
* Both are needed for encrypting secrets */
goto exit;
}
/* Use TPM Handle... */
printf("ECC Private Key Loaded into TPM: Handle 0x%x\n",
printf("ECC Private Key RAW Loaded into TPM: Handle 0x%x\n",
(word32)eccKey.handle.hndl);
/* Use TPM Handle... */
rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
if (rc != 0) goto exit;
#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */
#if 0 /* disabled until ECC Encrypted salt is added */
/* Close TPM session based on ECC storage key */
@ -981,7 +1010,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
if (rc != 0) goto exit;
#endif
exit:
if (rc != 0) {
@ -999,6 +1027,10 @@ exit:
wolfTPM2_Cleanup(&dev);
#ifndef WOLFTPM2_NO_WOLFCRYPT
(void)tpmDevId;
#endif
return rc;
}

7
src/tpm2_cryptocb.c
View File

@ -27,9 +27,8 @@
#if !defined(WOLFTPM2_NO_WRAPPER)
#if defined(WOLFTPM_CRYPTOCB) || \
(defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY))
#if defined(HAVE_ECC) && (defined(WOLFTPM_CRYPTOCB) || \
(defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY)))
/* Helper to trim leading zeros when not required */
static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len)
{
@ -41,7 +40,7 @@ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len)
*len -= idx;
return in;
}
#endif /* WOLFTPM_CRYPTOCB || HAVE_PK_CALLBACKS */
#endif
#ifdef WOLFTPM_CRYPTOCB

7
src/tpm2_linux.c
View File

@ -28,7 +28,6 @@
#ifdef WOLFTPM_LINUX_DEV
#include <wolftpm/tpm2_linux.h>
#include <wolftpm/tpm2_packet.h>
#include <wolftpm/tpm2_wrap.h> /* Needed only for WOLFTPM2_MAX_BUFFER */
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@ -48,11 +47,7 @@
* partial reads. The only way to receive a complete response is to read
* the maximum allowed TPM response from the kernel, which is 4K. And most
* of the ARM systems use older kernels, such as the RPI that uses v4.12
*
* The caller knows what the expected outcome of the operation is. Therefore,
* the response size is limited only by the WOLFTPM2_MAX_BUFFER used to limit
* the WOLFTPM2_BUFFER in wolfTPM wrappers */
*/
/* Talk to a TPM device exposed by the Linux tpm_tis driver */
int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)

90
src/tpm2_wrap.c
View File

@ -970,8 +970,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
#ifdef WOLFTPM_DEBUG_VERBOSE
printf("Session %d: Edit (PolicyAuth)\n", index);
printf("\tHandle 0x%x (not touching)\n", session->sessionHandle);
printf("\tPolicyAuth %d->%d\n", session->policyAuth, handle->policyAuth);
printf("\tAuth Sz %d -> %d\n", session->auth.size, authDigestSz + handle->auth.size);
printf("\tPolicyAuth %d->%d\n",
session->policyAuth, handle->policyAuth);
printf("\tAuth Sz %d -> %d\n", session->auth.size,
authDigestSz + handle->auth.size);
TPM2_PrintBin(session->auth.buffer, session->auth.size);
TPM2_PrintBin(handle->auth.buffer, handle->auth.size);
printf("\tName Sz %d -> %d\n", session->name.size, handle->name.size);
@ -979,8 +981,13 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
TPM2_PrintBin(handle->name.name, handle->name.size);
#endif
session->policyAuth = handle->policyAuth;
if ((word32)handle->auth.size + authDigestSz >
sizeof(session->auth.buffer)) {
return BUFFER_E;
}
session->auth.size = authDigestSz + handle->auth.size;
XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, handle->auth.size);
XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer,
handle->auth.size);
session->name.size = handle->name.size;
XMEMCPY(session->name.name, handle->name.name, handle->name.size);
return TPM_RC_SUCCESS;
@ -2085,20 +2092,21 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
TPMT_SYM_DEF_OBJECT* sym, TPM2B_DATA* symSeed, int useIv)
{
int rc = 0;
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC)
#ifndef WOLFTPM2_NO_WOLFCRYPT
int outerWrap = 0, innerWrap = 0;
int digestSz = 0;
int integritySz = 0;
int ivSz = 0;
int sensSz = 0;
BYTE* sensitiveData = NULL;
TPM2B_SYM_KEY symKey;
TPM2B_IV ivField;
TPM2_Packet packet;
TPM2B_SYM_KEY symKey;
#ifdef WOLFTPM2_PRIVATE_IMPORT
TPM2B_DIGEST hmacKey;
Aes enc;
Hmac hmac_ctx;
#endif
if (sens == NULL || priv == NULL) {
return BAD_FUNC_ARG;
@ -2160,6 +2168,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
}
if (outerWrap) {
#ifdef WOLFTPM2_PRIVATE_IMPORT
/* Generate symmetric key for encryption of inner values */
symKey.size = (symKey.size + 7) / 8; /* convert to byte and round up */
rc = TPM2_KDFa(nameAlg, symSeed, "STORAGE", (TPM2B_NONCE*)name,
@ -2230,10 +2239,15 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
/* store the size of the integrity */
digestSz = TPM2_Packet_SwapU16(digestSz);
XMEMCPY(&priv->buffer[0], &digestSz, sizeof(word16));
#else
(void)sensitiveData;
(void)name;
(void)symKey;
rc = NOT_COMPILED_IN;
#endif
}
#else
rc = NOT_COMPILED_IN;
(void)sens;
(void)priv;
(void)nameAlg;
@ -2242,6 +2256,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
(void)sym;
(void)symSeed;
(void)useIv;
rc = NOT_COMPILED_IN;
#endif
return rc;
}
@ -2727,7 +2742,6 @@ int wolfTPM2_ReadPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
}
#ifndef WOLFTPM2_NO_WOLFCRYPT
#ifndef NO_ASN
#ifndef NO_RSA
int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
@ -2825,7 +2839,7 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
return rc;
}
#endif
#endif /* !NO_RSA */
#ifdef HAVE_ECC
int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub,
TPM2B_SENSITIVE* sens, TPMA_OBJECT attributes)
@ -2967,6 +2981,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
}
}
#else
(void)out;
rc = NOT_COMPILED_IN;
#endif
}
@ -3006,16 +3021,15 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
/* Optionally convert to PEM */
if (rc == 0 && encodingType == ENCODING_TYPE_PEM) {
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER tmp;
if (derSz > (word32)sizeof(tmp.buffer)) {
byte tmp[MAX_CONTEXT_SIZE];
if (derSz > (word32)sizeof(tmp)) {
rc = BUFFER_E;
}
else {
/* move DER to temp variable */
tmp.size = derSz;
XMEMCPY(tmp.buffer, out, derSz);
XMEMCPY(tmp, out, derSz);
XMEMSET(out, 0, *outSz);
rc = wc_DerToPem(tmp.buffer, tmp.size, out, *outSz, PUBLICKEY_TYPE);
rc = wc_DerToPem(tmp, derSz, out, *outSz, PUBLICKEY_TYPE);
if (rc > 0) {
*outSz = rc;
rc = 0;
@ -3193,10 +3207,8 @@ int wolfTPM2_ImportPrivateKeyBuffer(WOLFTPM2_DEV* dev,
return rc;
}
#endif /* !NO_ASN */
#ifndef NO_RSA
#ifndef NO_ASN
int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev,
const WOLFTPM2_KEY* parentKey, WOLFTPM2_KEYBLOB* keyBlob, const byte* input,
word32 inSz, TPMI_ALG_RSA_SCHEME scheme, TPMI_ALG_HASH hashAlg)
@ -3242,7 +3254,6 @@ int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev,
return rc;
}
#endif /* !NO_ASN */
#ifdef WOLFTPM2_PEM_DECODE
int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev,
@ -3257,6 +3268,24 @@ int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev,
}
#endif /* WOLFTPM2_PEM_DECODE */
int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
byte* pem, word32* pemSz)
{
return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey,
ENCODING_TYPE_PEM, pem, pemSz);
}
#endif /* !NO_RSA */
#endif /* !NO_ASN */
#ifndef NO_RSA
static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz)
{
word32 exponent = 0, i;
for (i=0; i<eSz && i<sizeof(word32); i++) {
exponent |= ((word32)e[i]) << (i*8);
}
return exponent;
}
int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
RsaKey* wolfKey)
@ -3294,22 +3323,6 @@ int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
return rc;
}
int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
byte* pem, word32* pemSz)
{
return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey,
ENCODING_TYPE_PEM, pem, pemSz);
}
static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz)
{
word32 exponent = 0, i;
for (i=0; i<eSz && i<sizeof(word32); i++) {
exponent |= ((word32)e[i]) << (i*8);
}
return exponent;
}
int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
RsaKey* wolfKey, WOLFTPM2_KEY* tpmKey)
{
@ -3369,6 +3382,7 @@ int wolfTPM2_RsaKey_WolfToTpm(WOLFTPM2_DEV* dev, RsaKey* wolfKey,
return wolfTPM2_RsaKey_WolfToTpm_ex(dev, NULL, wolfKey, tpmKey);
}
#ifndef NO_ASN
int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
const byte* pem, word32 pemSz)
{
@ -3413,6 +3427,7 @@ int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
return rc;
}
#endif /* !NO_ASN */
#endif /* !NO_RSA */
#ifdef HAVE_ECC
@ -6719,15 +6734,14 @@ static int CSR_MakeAndSign(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, CSRKey* key,
/* Optionally convert to PEM */
if (rc >= 0 && outFormat == CTC_FILETYPE_PEM) {
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER tmp;
tmp.size = rc;
if (rc > (int)sizeof(tmp.buffer)) {
byte tmp[MAX_CONTEXT_SIZE];
if (rc > (int)sizeof(tmp)) {
rc = BUFFER_E;
}
else {
XMEMCPY(tmp.buffer, out, rc);
XMEMCPY(tmp, out, rc);
XMEMSET(out, 0, outSz);
rc = wc_DerToPem(tmp.buffer, tmp.size, out, outSz,
rc = wc_DerToPem(tmp, (word32)rc, out, outSz,
selfSignCert ? CERT_TYPE : CERTREQ_TYPE);
}
#else

21
tests/unit_tests.c
View File

@ -332,7 +332,8 @@ static void test_wolfTPM2_CSR(void)
#endif
}
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \
!defined(NO_RSA)
static WOLFTPM2_KEY authKey; /* also used for test_wolfTPM2_PCRPolicy */
static void test_wolfTPM_ImportPublicKey(void)
@ -499,7 +500,7 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg)
WOLFTPM2_DEV dev;
WOLFTPM2_KEY srk;
WOLFTPM2_KEYBLOB key;
WOLFTPM2_BUFFER blob;
byte blob[MAX_CONTEXT_SIZE];
TPMT_PUBLIC publicTemplate;
word32 privBufferSz, pubBufferSz;
@ -550,25 +551,26 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg)
NULL, &privBufferSz, &key);
AssertIntEQ(rc, LENGTH_ONLY_E);
AssertIntLT(pubBufferSz + privBufferSz, sizeof(blob));
/* Test exporting private and public parts separately */
rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob.buffer, &pubBufferSz,
&blob.buffer[pubBufferSz], &privBufferSz, &key);
rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob, &pubBufferSz,
blob +pubBufferSz, &privBufferSz, &key);
AssertIntEQ(rc, 0);
/* Test getting size only */
rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob.buffer), &key);
rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob), &key);
AssertIntGT(rc, 0);
/* Export private and public key */
rc = wolfTPM2_GetKeyBlobAsBuffer(blob.buffer, sizeof(blob.buffer), &key);
rc = wolfTPM2_GetKeyBlobAsBuffer(blob, sizeof(blob), &key);
AssertIntGT(rc, 0);
blob.size = rc;
/* Reset the originally created key */
XMEMSET(&key, 0, sizeof(key));
/* Load key blob (private/public) from buffer */
rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob.buffer, blob.size);
rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob, rc);
AssertIntEQ(rc, 0);
key.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(key.handle.auth.buffer, gKeyAuth, key.handle.auth.size);
@ -604,7 +606,8 @@ int unit_tests(int argc, char *argv[])
test_TPM2_KDFa();
test_wolfTPM2_ReadPublicKey();
test_wolfTPM2_CSR();
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE)
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \
!defined(NO_RSA)
test_wolfTPM_ImportPublicKey();
test_wolfTPM2_PCRPolicy();
#endif

12
wolftpm/tpm2_types.h
View File

@ -646,6 +646,7 @@ typedef int64_t INT64;
#ifndef WOLFTPM2_WRAP_DIGEST
#define WOLFTPM2_WRAP_DIGEST TPM_ALG_SHA256
#endif
/* Defines the default RSA key bits for the wrapper functions */
#ifndef WOLFTPM2_WRAP_RSA_KEY_BITS
#define WOLFTPM2_WRAP_RSA_KEY_BITS MAX_RSA_KEY_BITS
@ -672,17 +673,24 @@ typedef int64_t INT64;
#if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER) && \
(defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) && \
!defined(NO_ASN)
/* Enable the certificate PEM decode support */
#define WOLFTPM2_PEM_DECODE
#endif
/* Firmware upgrade requires wolfCrypt for hash and supported
* only for Infineon SLB9672/SLB9673 */
/* Firmware upgrade requires wolfCrypt for hashing.
* Supported only for Infineon SLB9672/SLB9673 */
#if defined(WOLFTPM_FIRMWARE_UPGRADE) && \
(defined(WOLFTPM2_NO_WOLFCRYPT) || \
(!defined(WOLFTPM_SLB9672) && !defined(WOLFTPM_SLB9673)))
#undef WOLFTPM_FIRMWARE_UPGRADE
#endif
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \
!defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC)
/* Support for importing external private keys */
#define WOLFTPM2_PRIVATE_IMPORT
#endif
/* ---------------------------------------------------------------------------*/
/* ENDIANESS HELPERS */

7
wolftpm/tpm2_wrap.h
View File

@ -95,13 +95,10 @@ typedef struct WOLFTPM2_CSR {
} WOLFTPM2_CSR;
#endif
#ifndef WOLFTPM2_MAX_BUFFER
#define WOLFTPM2_MAX_BUFFER 2048
#endif
/* buffer similar to TPM2B_MAX_BUFFER that can be used */
typedef struct WOLFTPM2_BUFFER {
int size;
byte buffer[WOLFTPM2_MAX_BUFFER];
byte buffer[MAX_DIGEST_BUFFER];
} WOLFTPM2_BUFFER;
typedef enum WOLFTPM2_MFG {