From 50c5f102776eb09ea2fb3cd8bbe74bbf95239121 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 12:50:22 -0700 Subject: [PATCH 1/5] Added keygen optional authentication password -auth= --- examples/keygen/keygen.c | 31 +++++++++++++++++++++++++------ examples/run_examples.sh | 32 +++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index d012f7d..830323b 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -43,7 +43,7 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem]\n"); + printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem] [-auth=pass]\n"); printf("* -pem: Store the primary and child public keys as PEM formatted files\n"); printf("\t child public key filename: ak.pem or key.pem\n"); printf("\t primary public key filename: ek.pem or srk.pem\n"); @@ -57,6 +57,8 @@ static void usage(void) printf("* -aes/xor: Use Parameter Encryption\n"); printf("* -unique=[value]\n"); printf("\t* Used for the KDF of the create\n"); + printf("* -auth=pass: Use custom password for key authentication\n"); + printf("\t* If not specified, no password is used\n"); printf("Example usage:\n"); printf("\t* RSA, default template\n"); @@ -118,6 +120,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) int bAIK = 1; int keyBits = 256; const char* uniqueStr = NULL; + const char* authStr = NULL; const char *outputFile = "keyblob.bin"; const char *ekPubFile = "ek.pub"; const char *srkPubFile = "srk.pub"; @@ -176,6 +179,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) else if (XSTRNCMP(argv[argc-1], "-unique=", XSTRLEN("-unique=")) == 0) { uniqueStr = argv[argc-1] + XSTRLEN("-unique="); } + else if (XSTRNCMP(argv[argc-1], "-auth=", XSTRLEN("-auth=")) == 0) { + authStr = argv[argc-1] + XSTRLEN("-auth="); + } else if (argv[argc-1][0] != '-') { outputFile = argv[argc-1]; } @@ -292,9 +298,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; /* set session for authorization key */ - auth.size = (int)sizeof(gAiKeyAuth)-1; - XMEMCPY(auth.buffer, gAiKeyAuth, auth.size); - + if (authStr != NULL) { + /* Use provided custom auth */ + auth.size = (int)XSTRLEN(authStr); + XMEMCPY(auth.buffer, authStr, auth.size); + } + else { + auth.size = (int)sizeof(gAiKeyAuth)-1; + XMEMCPY(auth.buffer, gAiKeyAuth, auth.size); + } } else { if (alg == TPM_ALG_RSA) { @@ -326,8 +338,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) } /* set session for authorization key */ - auth.size = (int)sizeof(gKeyAuth)-1; - XMEMCPY(auth.buffer, gKeyAuth, auth.size); + if (authStr != NULL) { + /* Use provided custom auth key */ + auth.size = (int)XSTRLEN(authStr); + XMEMCPY(auth.buffer, authStr, auth.size); + } + else { + auth.size = (int)sizeof(gKeyAuth)-1; + XMEMCPY(auth.buffer, gKeyAuth, auth.size); + } } if (rc != 0) goto exit; diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 21d808a..91badcc 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -238,13 +238,39 @@ rm -f keyedhashblob.bin if [ $WOLFCRYPT_ENABLE -eq 1 ]; then # KeyGen under Endorsement - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + # Test default behavior (no password) for regular key + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (no auth) failed! $RESULT" && exit 1 ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (no auth) failed! $RESULT" && exit 1 + # Test custom password for regular key + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (custom auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (custom auth) failed! $RESULT" && exit 1 + + # Test AIK with default password (backward compatibility) + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + + # Test AIK with custom password + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 + + # ECC endorsement tests ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> $TPMPWD/run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen endorsement ecc failed! $RESULT" && exit 1 From 942bbe7f03767cd2c1b2c575ac36d36fdfd439e0 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 13:22:52 -0700 Subject: [PATCH 2/5] removed testing --- examples/run_examples.sh | 30 ++---------------------------- 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 91badcc..21d808a 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -238,39 +238,13 @@ rm -f keyedhashblob.bin if [ $WOLFCRYPT_ENABLE -eq 1 ]; then # KeyGen under Endorsement - # Test default behavior (no password) for regular key - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (no auth) failed! $RESULT" && exit 1 - ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (no auth) failed! $RESULT" && exit 1 - - # Test custom password for regular key - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (custom auth) failed! $RESULT" && exit 1 - ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (custom auth) failed! $RESULT" && exit 1 - - # Test AIK with default password (backward compatibility) ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1 - # Test AIK with custom password - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 - ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 - - # ECC endorsement tests ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> $TPMPWD/run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen endorsement ecc failed! $RESULT" && exit 1 From f10a27bb47ab80d81fbc9cf5acea16ca76d9638c Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 13:29:43 -0700 Subject: [PATCH 3/5] Add keygen test for AIK and defualt --- examples/run_examples.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 21d808a..a093781 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -251,6 +251,14 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then ./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> $TPMPWD/run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload endorsement ecc failed! $RESULT" && exit 1 + + # Test KeyGen with custom password + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 fi From 688ce722d36d7adfc965253105192af84c027064 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 13:57:21 -0700 Subject: [PATCH 4/5] Fix typo - default is used.. --- examples/keygen/keygen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index 830323b..0e2cb0f 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -58,7 +58,7 @@ static void usage(void) printf("* -unique=[value]\n"); printf("\t* Used for the KDF of the create\n"); printf("* -auth=pass: Use custom password for key authentication\n"); - printf("\t* If not specified, no password is used\n"); + printf("\t* If not specified, default key auth is used\n"); printf("Example usage:\n"); printf("\t* RSA, default template\n"); From 8e03c40fba1a52063e3c8c4ca2ac624cecfb31b9 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 14:31:00 -0700 Subject: [PATCH 5/5] removed test, only needs to be tested when actually used in wolfTPM --- examples/run_examples.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/examples/run_examples.sh b/examples/run_examples.sh index a093781..6db7765 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -252,13 +252,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then RESULT=$? [ $RESULT -ne 0 ] && echo -e "keyload endorsement ecc failed! $RESULT" && exit 1 - # Test KeyGen with custom password - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + # TODO: Add tests for -auth= keygen when used in example fi