From 50c5f102776eb09ea2fb3cd8bbe74bbf95239121 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Fri, 28 Mar 2025 12:50:22 -0700 Subject: [PATCH] Added keygen optional authentication password -auth= --- examples/keygen/keygen.c | 31 +++++++++++++++++++++++++------ examples/run_examples.sh | 32 +++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index d012f7d..830323b 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -43,7 +43,7 @@ static void usage(void) { printf("Expected usage:\n"); - printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem]\n"); + printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa/-sym] [-t] [-aes/xor] [-eh] [-pem] [-auth=pass]\n"); printf("* -pem: Store the primary and child public keys as PEM formatted files\n"); printf("\t child public key filename: ak.pem or key.pem\n"); printf("\t primary public key filename: ek.pem or srk.pem\n"); @@ -57,6 +57,8 @@ static void usage(void) printf("* -aes/xor: Use Parameter Encryption\n"); printf("* -unique=[value]\n"); printf("\t* Used for the KDF of the create\n"); + printf("* -auth=pass: Use custom password for key authentication\n"); + printf("\t* If not specified, no password is used\n"); printf("Example usage:\n"); printf("\t* RSA, default template\n"); @@ -118,6 +120,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) int bAIK = 1; int keyBits = 256; const char* uniqueStr = NULL; + const char* authStr = NULL; const char *outputFile = "keyblob.bin"; const char *ekPubFile = "ek.pub"; const char *srkPubFile = "srk.pub"; @@ -176,6 +179,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) else if (XSTRNCMP(argv[argc-1], "-unique=", XSTRLEN("-unique=")) == 0) { uniqueStr = argv[argc-1] + XSTRLEN("-unique="); } + else if (XSTRNCMP(argv[argc-1], "-auth=", XSTRLEN("-auth=")) == 0) { + authStr = argv[argc-1] + XSTRLEN("-auth="); + } else if (argv[argc-1][0] != '-') { outputFile = argv[argc-1]; } @@ -292,9 +298,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; /* set session for authorization key */ - auth.size = (int)sizeof(gAiKeyAuth)-1; - XMEMCPY(auth.buffer, gAiKeyAuth, auth.size); - + if (authStr != NULL) { + /* Use provided custom auth */ + auth.size = (int)XSTRLEN(authStr); + XMEMCPY(auth.buffer, authStr, auth.size); + } + else { + auth.size = (int)sizeof(gAiKeyAuth)-1; + XMEMCPY(auth.buffer, gAiKeyAuth, auth.size); + } } else { if (alg == TPM_ALG_RSA) { @@ -326,8 +338,15 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) } /* set session for authorization key */ - auth.size = (int)sizeof(gKeyAuth)-1; - XMEMCPY(auth.buffer, gKeyAuth, auth.size); + if (authStr != NULL) { + /* Use provided custom auth key */ + auth.size = (int)XSTRLEN(authStr); + XMEMCPY(auth.buffer, authStr, auth.size); + } + else { + auth.size = (int)sizeof(gKeyAuth)-1; + XMEMCPY(auth.buffer, gKeyAuth, auth.size); + } } if (rc != 0) goto exit; diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 21d808a..91badcc 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -238,13 +238,39 @@ rm -f keyedhashblob.bin if [ $WOLFCRYPT_ENABLE -eq 1 ]; then # KeyGen under Endorsement - ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + # Test default behavior (no password) for regular key + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (no auth) failed! $RESULT" && exit 1 ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (no auth) failed! $RESULT" && exit 1 + # Test custom password for regular key + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -t -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (custom auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (custom auth) failed! $RESULT" && exit 1 + + # Test AIK with default password (backward compatibility) + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK default auth) failed! $RESULT" && exit 1 + + # Test AIK with custom password + ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh -auth=custompass >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 + ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> $TPMPWD/run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa (AIK custom auth) failed! $RESULT" && exit 1 + + # ECC endorsement tests ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> $TPMPWD/run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen endorsement ecc failed! $RESULT" && exit 1