Added keygen optional authentication password -auth=<yourpassword>

examples/keygen/keygen.c

@@ -43,7 +43,7 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem]\n");
+    printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem] [-auth=pass]\n");
     printf("* -pem: Store the primary and child public keys as PEM formatted files\n");
     printf("\t child public key filename: ak.pem or key.pem\n");
     printf("\t primary public key filename: ek.pem or srk.pem\n");
@@ -57,6 +57,8 @@ static void usage(void)
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -unique=[value]\n");
     printf("\t* Used for the KDF of the create\n");
+    printf("* -auth=pass: Use custom password for key authentication\n");
+    printf("\t* If not specified, no password is used\n");
 
     printf("Example usage:\n");
     printf("\t* RSA, default template\n");
@@ -118,6 +120,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     int bAIK = 1;
     int keyBits = 256;
     const char* uniqueStr = NULL;
+    const char* authStr = NULL;
     const char *outputFile = "keyblob.bin";
     const char *ekPubFile = "ek.pub";
     const char *srkPubFile = "srk.pub";
@@ -176,6 +179,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         else if (XSTRNCMP(argv[argc-1], "-unique=", XSTRLEN("-unique=")) == 0) {
             uniqueStr = argv[argc-1] + XSTRLEN("-unique=");
         }
+        else if (XSTRNCMP(argv[argc-1], "-auth=", XSTRLEN("-auth=")) == 0) {
+            authStr = argv[argc-1] + XSTRLEN("-auth=");
+        }
         else if (argv[argc-1][0] != '-') {
             outputFile = argv[argc-1];
         }
@@ -292,9 +298,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         if (rc != 0) goto exit;
 
         /* set session for authorization key */
-        auth.size = (int)sizeof(gAiKeyAuth)-1;
-        XMEMCPY(auth.buffer, gAiKeyAuth, auth.size);
-
+        if (authStr != NULL) {
+            /* Use provided custom auth */
+            auth.size = (int)XSTRLEN(authStr);
+            XMEMCPY(auth.buffer, authStr, auth.size);
+        }
+        else {
+            auth.size = (int)sizeof(gAiKeyAuth)-1;
+            XMEMCPY(auth.buffer, gAiKeyAuth, auth.size);
+        }
     }
     else {
         if (alg == TPM_ALG_RSA) {
@@ -326,8 +338,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         }
 
         /* set session for authorization key */
-        auth.size = (int)sizeof(gKeyAuth)-1;
-        XMEMCPY(auth.buffer, gKeyAuth, auth.size);
+        if (authStr != NULL) {
+            /* Use provided custom auth key */
+            auth.size = (int)XSTRLEN(authStr);
+            XMEMCPY(auth.buffer, authStr, auth.size);
+        }
+        else {
+            auth.size = (int)sizeof(gKeyAuth)-1;
+            XMEMCPY(auth.buffer, gKeyAuth, auth.size);
+        }
     }
     if (rc != 0) goto exit;
 

examples/run_examples.sh

@@ -238,13 +238,39 @@ rm -f keyedhashblob.bin
 
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     # KeyGen under Endorsement
-    ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
+    # Test default behavior (no password) for regular key
+    ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t >> $TPMPWD/run.out 2>&1
     RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (no auth) failed! $RESULT" && exit 1
     ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
     RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (no auth) failed! $RESULT" && exit 1
 
+    # Test custom password for regular key
+    ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (custom auth) failed! $RESULT" && exit 1
+    ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (custom auth) failed! $RESULT" && exit 1
+
+    # Test AIK with default password (backward compatibility)
+    ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK default auth) failed! $RESULT" && exit 1
+    ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK default auth) failed! $RESULT" && exit 1
+
+    # Test AIK with custom password
+    ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1
+    ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1
+
+    # ECC endorsement tests
     ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> $TPMPWD/run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "keygen endorsement ecc failed! $RESULT" && exit 1