mirror of https://github.com/wolfSSL/wolfTPM.git
Support for getting TPM EK Certificates. Added `wolfTPM2_GetKeyTemplate_EK` and `wolfTPM2_GetKeyTemplate_EK` API's for getting EK public templates for generating the EK primary key. Fix TLS example build issues with wolfSSL not having crypto callback or PK callback enabled.
David Garske
parent
fb7e321ac0
commit
57f12df97b
|
|
@ -79,6 +79,7 @@ examples/boot/secret_seal
|
|||
examples/boot/secret_unseal
|
||||
examples/firmware/ifx_fw_extract
|
||||
examples/firmware/ifx_fw_update
|
||||
examples/endorsement/get_ek_certs
|
||||
|
||||
# Generated Cert Files
|
||||
certs/ca-*.pem
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ Portable TPM 2.0 project designed for embedded use.
|
|||
* Parameter encryption support using AES-CFB or XOR.
|
||||
* Support for salted unbound authenticated sessions.
|
||||
* Support for HMAC Sessions.
|
||||
* Support for reading Endorsement certificates (EK Credential Profile).
|
||||
|
||||
Note: See [examples/README.md](examples/README.md) for details on using the examples.
|
||||
|
||||
|
|
@ -168,7 +169,7 @@ make install
|
|||
# then for some other library such as wolfTPM:
|
||||
|
||||
# cd /your-wolftpm-repo
|
||||
./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin
|
||||
./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin
|
||||
```
|
||||
|
||||
### Build options and defines
|
||||
|
|
@ -825,7 +826,6 @@ Connection: close
|
|||
|
||||
## Todo
|
||||
|
||||
* Add support for Endorsement certificates (EK Credential Profile).
|
||||
* Update to v1.59 of specification (adding CertifyX509).
|
||||
* Inner wrap support for SensitiveToPrivate.
|
||||
* Add support for IRQ (interrupt line)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
# TPM Endorsement Certificates
|
||||
|
||||
The `get_ek_certs` example will enumerate and validate the Endorsement Key Certificates stored in the NV TCG region.
|
||||
|
||||
TPM manufactures provision Endorsement Certificates based on a TPM key. This certificate can be used for signing/endorsement.
|
||||
|
||||
We have loaded some of the root and intermediate CA's into the trusted_certs.h file.
|
||||
|
||||
## Infineon SLB9672 EK Certificate Chain
|
||||
|
||||
Infineon certificates for TPM 2.0 can be downloaded from the following URLs (replace xxx with 3-digit CA number):
|
||||
|
||||
https://pki.infineon.com/OptigaRsaMfrCAxxx/OptigaRsaMfrCAxxx.crt
|
||||
https://pki.infineon.com/OptigaEccMfrCAxxx/OptigaEccMfrCAxxx.crt
|
||||
|
||||
|
||||
Examples:
|
||||
|
||||
- Infineon OPTIGA(TM) RSA Root CA 2
|
||||
- Infineon OPTIGA(TM) TPM 2.0 RSA CA 059
|
||||
- Infineon OPTIGA(TM) ECC Root CA 2
|
||||
- Infineon OPTIGA(TM) TPM 2.0 ECC CA 059
|
||||
|
||||
## STMicro ST33KTPM EK Certificate Chain
|
||||
|
||||
Example:
|
||||
|
||||
- STSAFE RSA root CA 02 (http://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt)
|
||||
- STSAFE-TPM RSA intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmrsaint10.crt)
|
||||
- STSAFE ECC root CA 02 (http://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt)
|
||||
- STSAFE-TPM ECC intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmeccint10.crt)
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
/* endorsement.h
|
||||
*
|
||||
* Copyright (C) 2006-2024 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfTPM.
|
||||
*
|
||||
* wolfTPM is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfTPM is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
#ifndef _WOLFTPM_ENDORSEMENT_H_
|
||||
#define _WOLFTPM_ENDORSEMENT_H_
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]);
|
||||
|
||||
#ifdef __cplusplus
|
||||
} /* extern "C" */
|
||||
#endif
|
||||
|
||||
#endif /* _WOLFTPM_ENDORSEMENT_H_ */
|
||||
|
|
@ -0,0 +1,414 @@
|
|||
/* get_ek_certs.c
|
||||
*
|
||||
* Copyright (C) 2006-2024 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfTPM.
|
||||
*
|
||||
* wolfTPM is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfTPM is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
/* This example shows how to decrypt a credential for Remote Attestation
|
||||
* and extract the secret for challenge response to an attestation server
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
|
||||
#include <wolftpm/tpm2_wrap.h>
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#ifndef WOLFTPM2_NO_WRAPPER
|
||||
|
||||
#include <examples/endorsement/endorsement.h>
|
||||
#include <hal/tpm_io.h>
|
||||
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
#include <wolfssl/wolfcrypt/asn.h>
|
||||
#include "trusted_certs.h"
|
||||
#endif
|
||||
|
||||
/******************************************************************************/
|
||||
/* --- BEGIN TPM2.0 Endorsement certificate tool -- */
|
||||
/******************************************************************************/
|
||||
|
||||
#ifndef MAX_CERT_SZ
|
||||
#define MAX_CERT_SZ 2048
|
||||
#endif
|
||||
|
||||
static void usage(void)
|
||||
{
|
||||
printf("Expected usage:\n");
|
||||
printf("./examples/endorsement/get_ek_certs\n");
|
||||
}
|
||||
|
||||
static void dump_hex_bytes(const byte* buf, word32 sz)
|
||||
{
|
||||
word32 i;
|
||||
/* Print as : separated hex bytes - max 15 bytes per line */
|
||||
printf("\t");
|
||||
for (i=0; i<sz; i++) {
|
||||
printf("%02x", buf[i]);
|
||||
if (i+1 < sz) {
|
||||
printf(":");
|
||||
if (i>0 && ((i+1)%16)==0) printf("\n\t");
|
||||
}
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
/* Display EK public information */
|
||||
static void show_ek_public(const TPM2B_PUBLIC* pub)
|
||||
{
|
||||
printf("EK %s, Hash: %s, objAttr: 0x%X\n",
|
||||
TPM2_GetAlgName(pub->publicArea.type),
|
||||
TPM2_GetAlgName(pub->publicArea.nameAlg),
|
||||
(unsigned int)pub->publicArea.objectAttributes);
|
||||
|
||||
/* parameters and unique field depend on algType */
|
||||
if (pub->publicArea.type == TPM_ALG_RSA) {
|
||||
printf("\tKeyBits: %d, exponent: 0x%X, unique size %d\n",
|
||||
pub->publicArea.parameters.rsaDetail.keyBits,
|
||||
(unsigned int)pub->publicArea.parameters.rsaDetail.exponent,
|
||||
pub->publicArea.unique.rsa.size);
|
||||
dump_hex_bytes(pub->publicArea.unique.rsa.buffer,
|
||||
pub->publicArea.unique.rsa.size);
|
||||
}
|
||||
else if (pub->publicArea.type == TPM_ALG_ECC) {
|
||||
const char* curveName = "NULL";
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
curveName = wc_ecc_get_name(
|
||||
TPM2_GetWolfCurve(pub->publicArea.parameters.eccDetail.curveID));
|
||||
#endif
|
||||
printf("\tCurveID %s (0x%x), size %d, unique X/Y size %d/%d\n",
|
||||
curveName, pub->publicArea.parameters.eccDetail.curveID,
|
||||
TPM2_GetCurveSize(pub->publicArea.parameters.eccDetail.curveID),
|
||||
pub->publicArea.unique.ecc.x.size,
|
||||
pub->publicArea.unique.ecc.y.size);
|
||||
dump_hex_bytes(pub->publicArea.unique.ecc.x.buffer,
|
||||
pub->publicArea.unique.ecc.x.size);
|
||||
dump_hex_bytes(pub->publicArea.unique.ecc.y.buffer,
|
||||
pub->publicArea.unique.ecc.y.size);
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
static int compare_ek_public(const TPM2B_PUBLIC* ekpub,
|
||||
const TPM2B_PUBLIC* certpub)
|
||||
{
|
||||
int rc = -1;
|
||||
if (ekpub->publicArea.type == TPM_ALG_RSA) {
|
||||
if (ekpub->publicArea.unique.rsa.size ==
|
||||
certpub->publicArea.unique.rsa.size) {
|
||||
rc = XMEMCMP(ekpub->publicArea.unique.rsa.buffer,
|
||||
certpub->publicArea.unique.rsa.buffer,
|
||||
ekpub->publicArea.unique.rsa.size);
|
||||
}
|
||||
}
|
||||
else if (ekpub->publicArea.type == TPM_ALG_ECC) {
|
||||
if (ekpub->publicArea.parameters.eccDetail.curveID ==
|
||||
certpub->publicArea.parameters.eccDetail.curveID &&
|
||||
ekpub->publicArea.unique.ecc.x.size ==
|
||||
certpub->publicArea.unique.ecc.x.size &&
|
||||
ekpub->publicArea.unique.ecc.y.size ==
|
||||
certpub->publicArea.unique.ecc.y.size) {
|
||||
rc = XMEMCMP(ekpub->publicArea.unique.ecc.x.buffer,
|
||||
certpub->publicArea.unique.ecc.x.buffer,
|
||||
ekpub->publicArea.unique.ecc.x.size);
|
||||
if (rc == 0) {
|
||||
rc = XMEMCMP(ekpub->publicArea.unique.ecc.y.buffer,
|
||||
certpub->publicArea.unique.ecc.y.buffer,
|
||||
ekpub->publicArea.unique.ecc.y.size);
|
||||
}
|
||||
}
|
||||
}
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
|
||||
{
|
||||
int rc = -1, nvIdx;
|
||||
WOLFTPM2_DEV dev;
|
||||
TPML_HANDLE handles;
|
||||
TPMS_NV_PUBLIC nvPublic;
|
||||
WOLFTPM2_NV nv;
|
||||
WOLFTPM2_KEY endorse;
|
||||
WOLFTPM2_KEY certPubKey;
|
||||
uint8_t certBuf[MAX_CERT_SZ];
|
||||
uint32_t certSz;
|
||||
TPMT_PUBLIC publicTemplate;
|
||||
word32 nvIndex;
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
int i;
|
||||
#ifndef WOLFCRYPT_ONLY
|
||||
WOLFSSL_CERT_MANAGER* cm = NULL;
|
||||
#endif
|
||||
DecodedCert cert;
|
||||
#ifdef WOLFSSL_DER_TO_PEM
|
||||
char* pem = NULL;
|
||||
word32 pemSz = 0;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
XMEMSET(&endorse, 0, sizeof(endorse));
|
||||
XMEMSET(&handles, 0, sizeof(handles));
|
||||
XMEMSET(&nvPublic, 0, sizeof(nvPublic));
|
||||
XMEMSET(&certPubKey, 0, sizeof(certPubKey));
|
||||
|
||||
if (argc >= 2) {
|
||||
if (XSTRCMP(argv[1], "-?") == 0 ||
|
||||
XSTRCMP(argv[1], "-h") == 0 ||
|
||||
XSTRCMP(argv[1], "--help") == 0) {
|
||||
usage();
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
printf("Get Endorsement Certificate(s)\n");
|
||||
|
||||
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
|
||||
if (rc != TPM_RC_SUCCESS) {
|
||||
printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* List TCG stored handles */
|
||||
rc = wolfTPM2_GetHandles(TPM_20_TCG_NV_SPACE, &handles);
|
||||
if (rc < 0) {
|
||||
goto exit;
|
||||
}
|
||||
rc = 0;
|
||||
printf("Found %d TCG handles\n", handles.count);
|
||||
|
||||
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY)
|
||||
/* load trusted certificates to cert manager */
|
||||
certSz = 0;
|
||||
cm = wolfSSL_CertManagerNew();
|
||||
if (cm != NULL) {
|
||||
for (i=0; i<(int)(sizeof(trusted_certs)/sizeof(const char*)); i++) {
|
||||
const char* pemCert = trusted_certs[i];
|
||||
rc = wolfSSL_CertManagerLoadCABuffer(cm,
|
||||
(const unsigned char*)pemCert, XSTRLEN(pemCert),
|
||||
WOLFSSL_FILETYPE_PEM);
|
||||
if (rc == WOLFSSL_SUCCESS) {
|
||||
certSz++;
|
||||
rc = 0;
|
||||
}
|
||||
else {
|
||||
printf("Warning: Failed to load trusted PEM at index %d\n", i);
|
||||
/* not fatal, continue loading trusted certs */
|
||||
}
|
||||
}
|
||||
printf("Loaded %d trusted certificates\n", certSz);
|
||||
}
|
||||
else {
|
||||
printf("Warning: Failed to setup a trusted certificate manager\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
for (nvIdx=0; nvIdx<(int)handles.count; nvIdx++) {
|
||||
nvIndex = handles.handle[nvIdx];
|
||||
|
||||
printf("TCG Handle 0x%x\n", nvIndex);
|
||||
|
||||
/* Read Public portion of NV */
|
||||
rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
|
||||
if (rc != 0) {
|
||||
printf("Failed to read public for NV Index 0x%08x\n", nvIndex);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Read data */
|
||||
XMEMSET(&nv, 0, sizeof(nv)); /* Must reset the NV for each read */
|
||||
XMEMSET(certBuf, 0, sizeof(certBuf));
|
||||
certSz = (uint32_t)sizeof(certBuf);
|
||||
if (certSz > nvPublic.dataSize) {
|
||||
certSz = nvPublic.dataSize;
|
||||
}
|
||||
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, certBuf, &certSz, 0);
|
||||
if (rc == 0) {
|
||||
#ifdef DEBUG_WOLFTPM
|
||||
printf("EK Data: %d\n", certSz);
|
||||
TPM2_PrintBin(certBuf, certSz);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Create Endorsement Key */
|
||||
if (rc == 0) {
|
||||
/* Get Endorsement Public Key template using NV index */
|
||||
rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
|
||||
if (rc != 0) {
|
||||
printf("EK Index 0x%08x not valid\n", nvIndex);
|
||||
rc = BAD_FUNC_ARG;
|
||||
}
|
||||
}
|
||||
if (rc == 0) {
|
||||
/* Create Endorsement Key using EK auth policy */
|
||||
printf("Creating Endorsement Key\n");
|
||||
rc = wolfTPM2_CreatePrimaryKey(&dev, &endorse, TPM_RH_ENDORSEMENT,
|
||||
&publicTemplate, NULL, 0);
|
||||
if (rc != 0) goto exit;
|
||||
printf("Endorsement key loaded at handle 0x%08x\n",
|
||||
endorse.handle.hndl);
|
||||
|
||||
/* Display EK public information */
|
||||
show_ek_public(&endorse.pub);
|
||||
}
|
||||
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
if (rc == 0) {
|
||||
/* Attempt to parse certificate */
|
||||
printf("Parsing certificate (%d bytes)\n", certSz);
|
||||
wc_InitDecodedCert(&cert, certBuf, certSz, NULL);
|
||||
rc = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
|
||||
if (rc == 0) {
|
||||
printf("\tSuccessfully parsed\n");
|
||||
|
||||
#if defined(WOLFSSL_ASN_CA_ISSUER) || \
|
||||
defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
|
||||
/* print the "Authority Information Access" for accessing
|
||||
* CA Issuers */
|
||||
if (cert.extAuthInfoCaIssuerSz > 0) {
|
||||
printf("CA Issuers: %.*s\n",
|
||||
cert.extAuthInfoCaIssuerSz, cert.extAuthInfoCaIssuer);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (cert.serialSz > 0) {
|
||||
if (cert.serialSz == 4) {
|
||||
/* serial number is 32-bits */
|
||||
word32 serial;
|
||||
XMEMCPY(&serial, cert.serial, cert.serialSz);
|
||||
#ifndef BIG_ENDIAN_ORDER
|
||||
serial = ByteReverseWord32(serial);
|
||||
#endif
|
||||
printf("Serial Number: %08u (0x%08x)\n",
|
||||
serial, serial);
|
||||
}
|
||||
else {
|
||||
/* Print serial as : separated hex bytes */
|
||||
printf("Serial Number (%d bytes)\n", cert.serialSz);
|
||||
dump_hex_bytes(cert.serial, cert.serialSz);
|
||||
}
|
||||
}
|
||||
|
||||
/* Import certificate public key */
|
||||
rc = wolfTPM2_ImportPublicKeyBuffer(&dev,
|
||||
endorse.pub.publicArea.type, &certPubKey,
|
||||
ENCODING_TYPE_ASN1,
|
||||
(const char*)cert.publicKey, cert.pubKeySize,
|
||||
endorse.pub.publicArea.objectAttributes
|
||||
);
|
||||
if (rc == 0) {
|
||||
/* compare public unique areas */
|
||||
if (compare_ek_public(&endorse.pub, &certPubKey.pub) == 0) {
|
||||
printf("Cert public key and EK public match\n");
|
||||
}
|
||||
else {
|
||||
printf("Error: Cert public key != EK public!\n");
|
||||
show_ek_public(&certPubKey.pub);
|
||||
}
|
||||
}
|
||||
else {
|
||||
printf("Error importing certificates public key! %d\n", rc);
|
||||
}
|
||||
}
|
||||
else {
|
||||
printf("Error parsing certificate 0x%x: %s\n",
|
||||
rc, TPM2_GetRCString(rc));
|
||||
}
|
||||
wc_FreeDecodedCert(&cert);
|
||||
|
||||
#ifndef WOLFCRYPT_ONLY
|
||||
if (rc == 0) {
|
||||
/* Validate EK certificate against trusted certificates */
|
||||
rc = wolfSSL_CertManagerVerifyBuffer(cm, certBuf, certSz,
|
||||
WOLFSSL_FILETYPE_ASN1);
|
||||
printf("EK Certificate is %s\n",
|
||||
(rc == WOLFSSL_SUCCESS) ? "VALID" : "INVALID");
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_DER_TO_PEM
|
||||
/* Convert certificate to PEM and display */
|
||||
rc = wc_DerToPemEx(certBuf, certSz, NULL, 0, NULL, CERT_TYPE);
|
||||
if (rc > 0) {
|
||||
pemSz = (word32)rc;
|
||||
rc = 0;
|
||||
|
||||
pemSz++; /* for '\0'*/
|
||||
pem = (char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (pem == NULL) {
|
||||
rc = MEMORY_E;
|
||||
}
|
||||
}
|
||||
if (rc == 0) {
|
||||
XMEMSET(pem, 0, pemSz);
|
||||
rc = wc_DerToPem(certBuf, certSz, (byte*)pem, pemSz, CERT_TYPE);
|
||||
if (rc > 0) {
|
||||
rc = 0;
|
||||
}
|
||||
}
|
||||
if (rc == 0) {
|
||||
printf("Endorsement Cert PEM\n");
|
||||
puts(pem);
|
||||
}
|
||||
#endif /* WOLFSSL_DER_TO_PEM */
|
||||
}
|
||||
#endif /* !WOLFTPM2_NO_WOLFCRYPT */
|
||||
|
||||
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
|
||||
XMEMSET(&endorse, 0, sizeof(endorse));
|
||||
}
|
||||
|
||||
exit:
|
||||
|
||||
#ifndef WOLFTPM2_NO_WOLFCRYPT
|
||||
#ifdef WOLFSSL_DER_TO_PEM
|
||||
XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
#endif
|
||||
#ifndef WOLFCRYPT_ONLY
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
#endif
|
||||
#endif
|
||||
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
|
||||
wolfTPM2_Cleanup(&dev);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/******************************************************************************/
|
||||
/* --- END TPM2.0 Endorsement certificate tool -- */
|
||||
/******************************************************************************/
|
||||
#endif /* !WOLFTPM2_NO_WRAPPER */
|
||||
|
||||
#ifndef NO_MAIN_DRIVER
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int rc = -1;
|
||||
|
||||
#ifndef WOLFTPM2_NO_WRAPPER
|
||||
rc = TPM2_EndorsementCert_Example(NULL, argc, argv);
|
||||
#else
|
||||
printf("Wrapper code not compiled in\n");
|
||||
(void)argc;
|
||||
(void)argv;
|
||||
#endif /* !WOLFTPM2_NO_WRAPPER */
|
||||
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# vim:ft=automake
|
||||
# All paths should be given relative to the root
|
||||
|
||||
if BUILD_EXAMPLES
|
||||
noinst_HEADERS += \
|
||||
examples/endorsement/endorsement.h \
|
||||
examples/endorsement/trusted_certs.h
|
||||
|
||||
noinst_PROGRAMS += examples/endorsement/get_ek_certs
|
||||
examples_endorsement_get_ek_certs_SOURCES = examples/endorsement/get_ek_certs.c
|
||||
examples_endorsement_get_ek_certs_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
|
||||
examples_endorsement_get_ek_certs_DEPENDENCIES = src/libwolftpm.la
|
||||
endif
|
||||
|
||||
EXTRA_DIST+=examples/endorsement/README.md
|
||||
example_endorsementdir = $(exampledir)/endorsement
|
||||
dist_example_endorsement_DATA = \
|
||||
examples/endorsement/get_ek_certs.c
|
||||
|
||||
DISTCLEANFILES+= examples/endorsement/.libs/get_ek_certs
|
||||
|
|
@ -0,0 +1,300 @@
|
|||
#ifndef WOLFTPM_TRUSTED_CERTS_H
|
||||
#define WOLFTPM_TRUSTED_CERTS_H
|
||||
|
||||
/* These are root and intermediate certificates used by chip vendors for
|
||||
* their endorsement certificates.
|
||||
*/
|
||||
|
||||
/* webauthn has a good source of TPM root certs:
|
||||
* https://hackage.haskell.org/package/webauthn-0.10.0.0/src/root-certs/tpm/
|
||||
*/
|
||||
|
||||
/* tpm2-tss fapi header has a well maintained list of TPM root certificates:
|
||||
* https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/fapi_certificates.h
|
||||
*/
|
||||
|
||||
static const char* trusted_certs[] = {
|
||||
/* ---------------------------------------------------------------*/
|
||||
/* Infineon Technologies AG */
|
||||
/* ---------------------------------------------------------------*/
|
||||
/* Subject: CN=Infineon OPTIGA(TM) ECC Root CA 2
|
||||
* Algorithms: ECDSA SECP521R1, SHA2-512
|
||||
* Validity: Nov 22 23:59:59 2054 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIICrTCCAg6gAwIBAgIBWjAKBggqhkjOPQQDBDB5MQswCQYDVQQGEwJERTEhMB8G\n"
|
||||
"A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo\n"
|
||||
"VE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgRUNDIFJv\n"
|
||||
"b3QgQ0EgMjAgFw0xOTExMjIwMDAwMDBaGA8yMDU0MTEyMjIzNTk1OVoweTELMAkG\n"
|
||||
"A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEbMBkG\n"
|
||||
"A1UECwwST1BUSUdBKFRNKSBEZXZpY2VzMSowKAYDVQQDDCFJbmZpbmVvbiBPUFRJ\n"
|
||||
"R0EoVE0pIEVDQyBSb290IENBIDIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABD\n"
|
||||
"6MnFaakBVM/vveSWg55BTIdxWdxAzGf2+fEUo5b9hMF6kVSWaR0wAAm2p9qeXNAV\n"
|
||||
"j7tfQkhz1CxvNz4TauSBQQGf94WLcIKyh7d6zC6/AIloqPizTIGb5xl4ogqyz6ZC\n"
|
||||
"T/D5FiOPA98TYzoThdqM8cpcI74e2xOyNgAffsm/BRiuFKNCMEAwHQYDVR0OBBYE\n"
|
||||
"FIK4PcxxuD5+9pzWHchNUjJwbMedMA4GA1UdDwEB/wQEAwIABjAPBgNVHRMBAf8E\n"
|
||||
"BTADAQH/MAoGCCqGSM49BAMEA4GMADCBiAJCAOXJYwRt86BtRKSuiN5LNATNX6Nc\n"
|
||||
"hs4DUiggpQhbgggV3Lf+T39l71KvCIPb8n5ZjSi5AKflmPGzumCjqDAPsgmsAkIA\n"
|
||||
"vpqNqptg4Sf3hrdAsLAqNPZGnx8gRBnsTvvQzNUOZETuBp+nbmSrKMWZpd5G7HkM\n"
|
||||
"9uXFb5ctX1cZQUbYFA2qG5g=\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 059
|
||||
* Issuer: CN=Infineon OPTIGA(TM) ECC Root CA 2
|
||||
* Algorithms: ECDSA SECP521R1, SHA2-512
|
||||
* Validity: Mar 10 10:30:49 2042 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIDpzCCAwigAwIBAgIEM8fygzAKBggqhkjOPQQDBDB5MQswCQYDVQQGEwJERTEh\n"
|
||||
"MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n"
|
||||
"R0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgRUND\n"
|
||||
"IFJvb3QgQ0EgMjAeFw0yMjAzMTAxMDMwNDlaFw00MjAzMTAxMDMwNDlaMHYxCzAJ\n"
|
||||
"BgNVBAYTAkRFMSEwHwYDVQQKDBhJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcxEzAR\n"
|
||||
"BgNVBAsMCk9QVElHQShUTSkxLzAtBgNVBAMMJkluZmluZW9uIE9QVElHQShUTSkg\n"
|
||||
"VFBNIDIuMCBFQ0MgQ0EgMDU5MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAdFmJ\n"
|
||||
"CLLqN+9xRN+gDqG1qYoDj6+B4OCy5rXG2+cTp6OPraIEIs7ZCtsdxv0hGM45SJI5\n"
|
||||
"4nl6WUqdILKdqhA1cTMABVhN6Nm6oVwXwjStVRslqSjeY4IOy5Rwg109IENZZ4mL\n"
|
||||
"F5BFJPUHIQ65m7vWF091CcmK9yOjhZ19aawMUQDpCiCjggE8MIIBODBZBggrBgEF\n"
|
||||
"BQcBAQRNMEswSQYIKwYBBQUHMAKGPWh0dHA6Ly9wa2kuaW5maW5lb24uY29tL09w\n"
|
||||
"dGlnYUVjY1Jvb3RDQTIvT3B0aWdhRWNjUm9vdENBMi5jcnQwHQYDVR0OBBYEFMfY\n"
|
||||
"6hrNmsmcNQkPCrXM5ISJzxUdMA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAG\n"
|
||||
"AQH/AgEAME4GA1UdHwRHMEUwQ6BBoD+GPWh0dHA6Ly9wa2kuaW5maW5lb24uY29t\n"
|
||||
"L09wdGlnYUVjY1Jvb3RDQTIvT3B0aWdhRWNjUm9vdENBMi5jcmwwFQYDVR0gBA4w\n"
|
||||
"DDAKBggqghQARAEUATAfBgNVHSMEGDAWgBSCuD3Mcbg+fvac1h3ITVIycGzHnTAQ\n"
|
||||
"BgNVHSUECTAHBgVngQUIATAKBggqhkjOPQQDBAOBjAAwgYgCQgCxOZetx3JsIj/x\n"
|
||||
"tmQiqH24lCydvK+YD+HFXfPqSTkqyAl1k6oq7oHOVDfDwiFO34l5ZCpk+Om7y4hE\n"
|
||||
"CN813X4+YQJCAOMAUk7PWKDHg7avff7v8T3U0jBhrj/zcna2d1Wt5YG814+Jpk9j\n"
|
||||
"OyD3mUxh8uFPhavNYLdFtrwguXqTVyZcZB+D\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=Infineon OPTIGA(TM) RSA Root CA 2
|
||||
* Algorithms: RSA 4096-bit, SHA2-256
|
||||
* Validity: Nov 22 23:59:59 2054 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIFsTCCA5mgAwIBAgIBWTANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJERTEh\n"
|
||||
"MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ\n"
|
||||
"R0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkgUlNB\n"
|
||||
"IFJvb3QgQ0EgMjAgFw0xOTExMjIwMDAwMDBaGA8yMDU0MTEyMjIzNTk1OVoweTEL\n"
|
||||
"MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEb\n"
|
||||
"MBkGA1UECwwST1BUSUdBKFRNKSBEZXZpY2VzMSowKAYDVQQDDCFJbmZpbmVvbiBP\n"
|
||||
"UFRJR0EoVE0pIFJTQSBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n"
|
||||
"ggIKAoICAQClvyAQlJNoJwAXwO5AojnaZO3rYqEbnox1r4jVvsjVnbDYSm9qYMIh\n"
|
||||
"X0lEweLh3GmC/B0VgN0eoVTdfUZ/H9laK+PETmzQnKya8Gsq/XSCq8nWKslTgdoY\n"
|
||||
"w44ddSBrTKoLWLPb8VW0FU0YIZaQEdXtWCQ2UqP+3Y6HbR8+RPO5DW64VsaGbeDx\n"
|
||||
"VZgskZauH0oZ4eU7pCa9z6WwhExHMqgTOMHNuCgAWD/OkxqBsS74/2L4nv6zJD9+\n"
|
||||
"yPLF3PjbVolC5WzR8M3ZUhN2iGp9V80/SEmj8SGS/z5l0cIwqua9DLhj/VCTo2Tl\n"
|
||||
"qJ1hjQVaKYRnPaLPnxOmjbwPkCBO/Tj4jHVLfjk1XArSR3tjZK2CvRERweLC/XdK\n"
|
||||
"doJuPPASeR8qmbhaj39wHBT5CTpJ8Hlh3uL1nMpeRJHJ0qM+7enirx/7WPuoI6FZ\n"
|
||||
"N9xEWh7k6kma8wjjettN8r8qHBJjQN6IeJ8p2dETfRK+Wva718S2TKf3RyrD2aX3\n"
|
||||
"RUGjFPxZcwDAX+YlqW7p03/77nf1SYnvyX7EyTZ99fRUjghVnM2tnTC4Soi6Sv1Z\n"
|
||||
"oXxWFSOMUeRb3YN+OlWvqnVIJ1UNiTe5l1qCnEE+P+lj87sSjwSP63ME4xaNFmlT\n"
|
||||
"v50t3+Gxpj92h8/owOpUBTD1uwLiZNDXhBE3qTtqO5T655ulTBsiZQIDAQABo0Iw\n"
|
||||
"QDAdBgNVHQ4EFgQU+0/LDx9uXdViIvTFSiU55L1NaigwDgYDVR0PAQH/BAQDAgAG\n"
|
||||
"MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFUkfuMp8AubFwcY\n"
|
||||
"id4j4W5d3vTkSHxLWQ+ILgw8t3goF/Zp1ikDJMPVynEaVEIet5qjT5jZe56j0HkI\n"
|
||||
"gyrOtjUxXXXvjSYEiUsoghp4ECM6EMj3nUmSqFkP8A9eGLtfpjTDFml0kPsBrK3e\n"
|
||||
"o0+moWLvRsFRL9wVKKu2OTdA3aUG8hfNocvu/H7yqsLNg1DAwmhBajQl3PtICjPB\n"
|
||||
"xUmhE1mxq998CVvdId7PqkTrBmUK8mNTNnLsDqFP2API//XxPWI9/LCib4StwM1w\n"
|
||||
"v0ECNelb/bAw3FDx6HcJqkA8mRqfjg+cngOCPQXa3MWXbod5RM6DzQhwgAaofSlv\n"
|
||||
"PzZGZvOu84FILJkSxj9ZpPVDy3bgTS2AE9Iy0C6y/1GyeHhDYFYdxg40osoCOBxu\n"
|
||||
"1WwsEPr0FkYYXX2YSRa3MmrkkWzXrgx1JKzJB6p/mQ14j1R3eMiYWKx5DjtkAmM9\n"
|
||||
"9qsnIU42jIpbwvQF1YC41GYclP2pX45LmDGTWgBDSBBtjEPnn2gwYH6uaSR3zndx\n"
|
||||
"nqu/imr4HSyvrsIGNak5RLEed8e02nbjTAehOLAZGdj+TMnvbQBS0AiZZO3qWx9T\n"
|
||||
"/ABQ8gFSGgorfvS5Lg7ANIiBSsCsVIa28I2eiYrJZatuFAo1Xg4z3n2kvL7S1wZy\n"
|
||||
"8MZsUVujMk+IInhi81MQZFUR2QbA\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 059
|
||||
* Issuer: CN=Infineon OPTIGA(TM) RSA Root CA 2
|
||||
* Algorithms: RSA 4096-bit, SHA2-384
|
||||
* Validity: Mar 10 10:36:34 2042 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIGqzCCBJOgAwIBAgIEavSCmDANBgkqhkiG9w0BAQwFADB5MQswCQYDVQQGEwJE\n"
|
||||
"RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP\n"
|
||||
"UFRJR0EoVE0pIERldmljZXMxKjAoBgNVBAMMIUluZmluZW9uIE9QVElHQShUTSkg\n"
|
||||
"UlNBIFJvb3QgQ0EgMjAeFw0yMjAzMTAxMDM2MzRaFw00MjAzMTAxMDM2MzRaMHYx\n"
|
||||
"CzAJBgNVBAYTAkRFMSEwHwYDVQQKDBhJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcx\n"
|
||||
"EzARBgNVBAsMCk9QVElHQShUTSkxLzAtBgNVBAMMJkluZmluZW9uIE9QVElHQShU\n"
|
||||
"TSkgVFBNIDIuMCBSU0EgQ0EgMDU5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC\n"
|
||||
"CgKCAgEA5Eq4pO/DJwsbPLocqJJGHoA6ZcoSKV0Te2nCdTRGVhH+Ba0nhlwI2k/K\n"
|
||||
"6lxoZ6DTJ7sQajy8nHq+7lxg/C35pN1/20Wh3aCd4AKdiRZRE7odg9exNT0TMAos\n"
|
||||
"aHAHU6jJcTIfnREXev63SDJgdkg3bY4sHdjTirUj+BI315eZi871Gh1dFh+W9WFT\n"
|
||||
"JPbuvvWWRe4fNtvEnpLQLSTbR9c2LE+Udo6Cax1aUP4CqqQS+iUnoU1XJ2wMDk2O\n"
|
||||
"R2SUtLDfEUhRzqsqw5pEu2lS8lnmxZwKz2n32PKKoqEAWmRQ9mq8mmybB5mf+KOk\n"
|
||||
"BKU2DhpKltMewsONL72gQ800W17B2szEBYkk7weckMfWiSaDT8HNQthY7BZ7qyzu\n"
|
||||
"7pM/nPIsElvEN+oY4QGPcH1IFQXZpUq27lNalsiFKN+PFTkDmWpTCLWwtqRgXqSw\n"
|
||||
"eMzE/C9ifQvlyPYH5ZmpMKl6fZfBl5jLWkW7VTJXNAf0cHU6d9jw02zZwj3esd5K\n"
|
||||
"Sj7fYSt6kxEv/QQ+91O6ceMd1rQ7Wo1ufi6Y8bMmhDDUQCbhtUveMs/zNhtZ9Dy7\n"
|
||||
"2AxE1INaHj9Xwj/nvSAS0oE/6CUbpiloxYuTdY4k+CUA+Ob5/GX6h3IPZyHwlP1x\n"
|
||||
"vjoald5nSq9ffdn+X4yWtyINaR0D6X+elGxHjsMLRnUMhin9lx8CAwEAAaOCATww\n"
|
||||
"ggE4MFkGCCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAoY9aHR0cDovL3BraS5pbmZp\n"
|
||||
"bmVvbi5jb20vT3B0aWdhUnNhUm9vdENBMi9PcHRpZ2FSc2FSb290Q0EyLmNydDAd\n"
|
||||
"BgNVHQ4EFgQU7lMg7m2CeMnsa+6Wu4I6TyUdwxMwDgYDVR0PAQH/BAQDAgAGMBIG\n"
|
||||
"A1UdEwEB/wQIMAYBAf8CAQAwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDovL3BraS5p\n"
|
||||
"bmZpbmVvbi5jb20vT3B0aWdhUnNhUm9vdENBMi9PcHRpZ2FSc2FSb290Q0EyLmNy\n"
|
||||
"bDAVBgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaAFPtPyw8fbl3VYiL0\n"
|
||||
"xUolOeS9TWooMBAGA1UdJQQJMAcGBWeBBQgBMA0GCSqGSIb3DQEBDAUAA4ICAQB9\n"
|
||||
"+nOzisSHWLtHLpTviVdtUIuW9WxrHqcE1+OD9kMnGW0R6DWacPNWb+rjQ9V0aZgd\n"
|
||||
"SRxlRqsQtPXgYjO10iPQmhKIhL7bWmYcm5If3NOiaFXSS9Xb7cNoPk+FJNWoY85F\n"
|
||||
"CKQWld0+RooebSDe1tLjE+kUuGMMvtoLumBiEBVcu+F2wuibO+Mo8Xr7VPl7o3J1\n"
|
||||
"asV2ZFtmrqHykfEWaJhswjw/FSQec2bFNafWW2dS3za658eoFEjmE59mIDCqx4p3\n"
|
||||
"4Qmm195P+zFqYTXJMifkoizIi2lJGtdoLZB4c6AzHeT+UOVjr027fdSqUxAyQeUI\n"
|
||||
"uZfApcfWR21jxrpOxfkmy8GmtolrmRBZVbEKED1tsk3PxxCx1EeVrO46DaamkGFj\n"
|
||||
"TQYOjvdmCD+KcmCvG39Ftj4dy7kaObrdAVkQwFa/aCTH90vHGOlZUl/WuMg2PQlq\n"
|
||||
"kqkcAnBUPGbJIr9RJWZCxv4w0Mu5RnHWcs39HF4WSubLiuImbQRgLQuDuSJCMxZn\n"
|
||||
"DGYublH8ff8/abMvxI51XxpmaPLe9ZFP6LSdD1poeTT4j46yAH2GacsaysOzXuPB\n"
|
||||
"dgXXMFHAomRi10j/mp3Fv1nz73zVVy0e+4aj6Wh4+omKvXgwH8YgQVbMrPQfhbQg\n"
|
||||
"Q6kr1MlRyGqkQFTEeOHGI0PngcLQJzKYfjHDDEZ+GA==\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
|
||||
/* ---------------------------------------------------------------*/
|
||||
/* STMicroelectronics NV */
|
||||
/* ---------------------------------------------------------------*/
|
||||
/* Subject: CN=STSAFE ECC Root CA 02
|
||||
* Algorithms: ECDSA SECP521R1, SHA2-512
|
||||
* Validity: Dec 31 00:00:00 9999 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIICWjCCAbugAwIBAgIGVR0gAAECMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAkNI\n"
|
||||
"MR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNUU0FG\n"
|
||||
"RSBFQ0MgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAwMDAw\n"
|
||||
"MFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBO\n"
|
||||
"VjEeMBwGA1UEAxMVU1RTQUZFIEVDQyBSb290IENBIDAyMIGbMBAGByqGSM49AgEG\n"
|
||||
"BSuBBAAjA4GGAAQAJFgkbtp5mZpvISjL8zAUSSJXxXpPhxhSVGQfqU0GEjPBIMMD\n"
|
||||
"KNvc23xCcyIsiFTMD4MZQ1wov0SaBE3M31bWx78BrbiPCJ4lXUvJWiwm9+v3EL1z\n"
|
||||
"lznBtyJDYUkrUe2n7r8NH7kAQ1X/csItvyomECdRtm4wwD8VX1n+l3npVlMNOxWj\n"
|
||||
"QjBAMB0GA1UdDgQWBBT1XLcHvEsXQiYkgEBLu3yAulo8vjAOBgNVHQ8BAf8EBAMC\n"
|
||||
"AQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBjAAwgYgCQgC85uufYwd5\n"
|
||||
"yelX2EKkjx7s8LP6qgcXHxkO1zZYrTU7umomS5beVyPf2hA12yPVG9VnYUqs9+RA\n"
|
||||
"L0mbODJNfHR5yAJCAUf2a5qPe3a/BpZBoY7YI68nUt1UD8ScX+IbkLJQ6mPe8pNR\n"
|
||||
"xRJfSy8RvtTJcPEqH7kpj5sZjlRC5GUG/3Sco8uX\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=STSAFE TPM ECC Intermediate CA 10
|
||||
* Issuer: CN=STSAFE ECC Root CA 02
|
||||
* Algorithms: ECDSA SECP384R1, SHA2-384
|
||||
* Validity: Jan 1 00:00:00 2042 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIDQjCCAqOgAwIBAgIEQQAAEDAKBggqhkjOPQQDAzBNMQswCQYDVQQGEwJDSDEe\n"
|
||||
"MBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNBRkUg\n"
|
||||
"RUNDIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAwWjBZ\n"
|
||||
"MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSow\n"
|
||||
"KAYDVQQDEyFTVFNBRkUgVFBNIEVDQyBJbnRlcm1lZGlhdGUgQ0EgMTAwdjAQBgcq\n"
|
||||
"hkjOPQIBBgUrgQQAIgNiAASTJN1bV66WKZt1gjvbSCbHJbo3HFyT/jqJ7+rqeMHK\n"
|
||||
"Z55dI/FYfY/qgK1A9xTy3S3aUysFnTo5RQSy8EqcY2JxijlKU0hISan3IRV/ycA0\n"
|
||||
"1KeA1AzDj6SKY0BCO07kc7yjggFGMIIBQjAdBgNVHQ4EFgQUnLOZx0g2wg9IQLg/\n"
|
||||
"lCqnQZj6s1owHwYDVR0jBBgwFoAU9Vy3B7xLF0ImJIBAS7t8gLpaPL4wQwYDVR0g\n"
|
||||
"AQH/BDkwNzA1BgRVHSAAMC0wKwYIKwYBBQUHAgEWH2h0dHA6Ly9zdy1jZW50ZXIu\n"
|
||||
"c3QuY29tL1NUU0FGRS8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\n"
|
||||
"AQAwUAYIKwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vc3ctY2VudGVy\n"
|
||||
"LnN0LmNvbS9TVFNBRkUvU1RTQUZFRWNjUm9vdENBMDIuY3J0MEUGA1UdHwQ+MDww\n"
|
||||
"OqA4oDaGNGh0dHA6Ly9zdy1jZW50ZXIuc3QuY29tL1NUU0FGRS9TVFNBRkVFY2NS\n"
|
||||
"b290Q0EwMi5jcmwwCgYIKoZIzj0EAwMDgYwAMIGIAkIB9BxSCiEYdXzw4InfqOVA\n"
|
||||
"JXxwDySjdgGZkckh9eu6OAwzPoRsjwt59/R1LRxISsE8BFRCyL+/0Stae8W6CaUa\n"
|
||||
"YgkCQgEEZpf+KEZYKG+XFIfavWzFAFHgShQD2+fd21ncprh7rZDruPbeCqS6JEYc\n"
|
||||
"qKsm6vl5yWjrv88UV/UeeTqlz6WTww==\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=STSAFE TPM ECC Intermediate CA 11
|
||||
* Issuer: CN=STSAFE ECC Root CA 02
|
||||
* Algorithms: ECDSA SECP384R1, SHA2-384
|
||||
* Validity: Jan 1 00:00:00 2042 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIDQjCCAqOgAwIBAgIEQQAAETAKBggqhkjOPQQDAzBNMQswCQYDVQQGEwJDSDEe\n"
|
||||
"MBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNBRkUg\n"
|
||||
"RUNDIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAwWjBZ\n"
|
||||
"MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSow\n"
|
||||
"KAYDVQQDEyFTVFNBRkUgVFBNIEVDQyBJbnRlcm1lZGlhdGUgQ0EgMTEwdjAQBgcq\n"
|
||||
"hkjOPQIBBgUrgQQAIgNiAAT1l1mAZbejAFPcYl7AyR0vQUzcM4a/AVzs4ctaxKOH\n"
|
||||
"PcXmxT6EeeXXDX4JcbuEgD7zZr+nw1AeZRCbO89o86+OM2yMKPqAl4tToRYAUIyl\n"
|
||||
"mYjHe8wUKeyUbMUMg5FZ92qjggFGMIIBQjAdBgNVHQ4EFgQU+A/ygAr/JRzH4rpY\n"
|
||||
"vietSY6qitYwHwYDVR0jBBgwFoAU9Vy3B7xLF0ImJIBAS7t8gLpaPL4wQwYDVR0g\n"
|
||||
"AQH/BDkwNzA1BgRVHSAAMC0wKwYIKwYBBQUHAgEWH2h0dHA6Ly9zdy1jZW50ZXIu\n"
|
||||
"c3QuY29tL1NUU0FGRS8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\n"
|
||||
"AQAwUAYIKwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vc3ctY2VudGVy\n"
|
||||
"LnN0LmNvbS9TVFNBRkUvU1RTQUZFRWNjUm9vdENBMDIuY3J0MEUGA1UdHwQ+MDww\n"
|
||||
"OqA4oDaGNGh0dHA6Ly9zdy1jZW50ZXIuc3QuY29tL1NUU0FGRS9TVFNBRkVFY2NS\n"
|
||||
"b290Q0EwMi5jcmwwCgYIKoZIzj0EAwMDgYwAMIGIAkIBG7lZLscwwyv/6EMhsalu\n"
|
||||
"1kMx4rG8y0hQvB43eapAdpiwWJU93FF12Agtf5aDLr/zzjTy2epE1LOpBTDs431w\n"
|
||||
"exwCQgHvMXOrbU26af1JTw1TD92QorKeYX9AspNRfHTJqijcue4MIMa3lAdssvCy\n"
|
||||
"3QJ/mdWzkS8U0LlHNOV2Lb9PF4B10A==\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=STSAFE RSA Root CA 02
|
||||
* Algorithms: RSA 4096-bit, SHA2-384
|
||||
* Validity: Dec 31 00:00:00 9999 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIFXjCCA0agAwIBAgIGVR0gAAACMA0GCSqGSIb3DQEBDAUAME0xCzAJBgNVBAYT\n"
|
||||
"AkNIMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNU\n"
|
||||
"U0FGRSBSU0EgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAw\n"
|
||||
"MDAwMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmlj\n"
|
||||
"cyBOVjEeMBwGA1UEAxMVU1RTQUZFIFJTQSBSb290IENBIDAyMIICIjANBgkqhkiG\n"
|
||||
"9w0BAQEFAAOCAg8AMIICCgKCAgEAyDtHbW51K/pnDbnPdLQTls2U/bu/aDATTi1W\n"
|
||||
"CZDAtFC9sWtCRK6jQ0SG9DCCys7ur170V3Q+HVov88FzH6bYg4TWY7+wEQKLR/4W\n"
|
||||
"IgdCjcW3uXMimsh9tOb+UlfRMW0yEozi7F+F/v07lULTJg+itCOMASi/caV1ySYI\n"
|
||||
"cX5z/5Woj3hDgJGa4scOoxdOfPg1GCkEjQPy7fG/IBt883palE/T4UNg1megfLcg\n"
|
||||
"hjOrbaPTFB3qXmm6E07QDYMkPiqryz3v9MCnOw62EXGcQLFIK4DwPxySU7NxO0ta\n"
|
||||
"DHXv+8B5ljv4Jtx5OLkDf9YAfjEg6ZOpsyIGKI+bgIoVYtGbXTDZAtoMKw3ystQX\n"
|
||||
"va9ceQ4cIQQUjpH6nFm8dbm/TOrkZd6m9pmLftR6kTuzRd8hhKCwpfcKbxQlMI2u\n"
|
||||
"TDVbw03IFUhk23uDSTOzsyOjB2f93SLEw1yTBuiYXhO2YHUHFJckbiuz7RdE4sjN\n"
|
||||
"1J0LwxKKbm9kleYEP+Kah6IJ0Zs7vbP3WNZUpmt6/XTmszb+paTSpanUYbBr2/IE\n"
|
||||
"aQCRiAlv0H26i5u4CjSHRjjRIqLAuGnpn0gZ2Zgs1espJwmey7MPKvTJtK1H+TQN\n"
|
||||
"0HZW8DYtcdzPkpxqKndWIUR7JTnozVPCVOcirSPGdkSvhbAGPyoyv7ju86RnTiT0\n"
|
||||
"NLz7SbECAwEAAaNCMEAwHQYDVR0OBBYEFHzCjb5uWdhKVANGmxMIANL48G0nMA4G\n"
|
||||
"A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4IC\n"
|
||||
"AQCykiyYyHAXHzRBdqJ3QLr8qTDDNO3RdLToZmiFRdslaRr2RtlDDjcAEFKf1u/E\n"
|
||||
"1qprZe926Ob5KxWIQREvDAgqAbRS9fd3+w6hZ+ZrmHNh5aH2UEgsfAi9vZ3K8BH/\n"
|
||||
"rReqTm0oxCMz4socJ9tIpvGSZhJg6PDTidsIscr8iNcSsVYJO60wSMxn7tv+Buh+\n"
|
||||
"ZgJFddzEYZqTuezsdiXswkAkwqTJY9KM1w0bFLHrmifkc0y6I+jeBgjGxMknz8G5\n"
|
||||
"p7YX4GoeJp5LjM8z36qBFKcjkKpYEb2H+u6CxgXFsxu6nkB0pn3u2uNwmXTYIQKO\n"
|
||||
"trcshrmoKUv7mDvtaNIa0blMTRTEZzkwrR1BsHm/Gz7NLhgkDIv9p1u5oiCwlebh\n"
|
||||
"eJ1cDJ9I7puSBPiDDpkdvVPg0wNFPai/SAhjW0OaULcybVR7kXzST9/xerCoquYp\n"
|
||||
"I+qLjTs+RqahgL5a9ZRPVABX3DwvnDCarwVqMSfRjGP4e8b2BspDM+wPTvQH1K4O\n"
|
||||
"xk+qc9HT7YubzqhtJ/yfcYd/eKTsk60aNmknatNZDSFzq03lxN048n3D9mcjGDkR\n"
|
||||
"15Kv5NX8DhZuCNcBddkGC96uYpgSvl089RgnSL/qPlM+QlVjPbqDpISd/z3X4RNb\n"
|
||||
"vdT+agOdZZJRB1MROQXDnACVdQB1ba/DTO4UNEou27D03Q==\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
/* Subject: CN=STSAFE TPM RSA Intermediate CA 10
|
||||
* Issuer: CN=STSAFE RSA Root CA 02
|
||||
* RSA 4096-bit, SHA2-384
|
||||
* Validity: Jan 1 00:00:00 2042 GMT */
|
||||
"-----BEGIN CERTIFICATE-----\n"
|
||||
"MIIGbDCCBFSgAwIBAgIEQAAAEDANBgkqhkiG9w0BAQwFADBNMQswCQYDVQQGEwJD\n"
|
||||
"SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNB\n"
|
||||
"RkUgUlNBIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDIwMTAxMDAwMDAw\n"
|
||||
"WjBZMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5W\n"
|
||||
"MSowKAYDVQQDEyFTVFNBRkUgVFBNIFJTQSBJbnRlcm1lZGlhdGUgQ0EgMTAwggIi\n"
|
||||
"MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLtTMVm6icY4GkyBPSGRG4x04Z\n"
|
||||
"s3QDarRa1jdXDDD5yYNsdenk+9wNb+pOoepnsAoD8oJ4w8MiER4eDln40c26w2fg\n"
|
||||
"s+8UWDJY5zgTn/A+NBoIZ4wpOhFiE5MEWki7hLB6WPgZYDpMY38vG0RrBd9eJHxh\n"
|
||||
"h32wa7ko0NDoUl7DHLIn6xyMePknl/RKcWJHtpn3KBky4qxuJf0SIgKLsjTMqpaa\n"
|
||||
"15HWeYDaij2GDSV/0IY0svLrDwyP/tnONN15PnogkYKpVzXcHKoue2ViBDGqFrDv\n"
|
||||
"/itYz3ze1TMqj6+iiTGG3Hg1exmch8w923Zj5BTn+Fe2kdngzOFf9jVCnRxyYZm3\n"
|
||||
"A60MthkJyAjN8zkZcaepumkbF99WUJQQ2eyK4jGsVzMlmHGcMHOB2AG2W0jbnteo\n"
|
||||
"0Y4PhcVkjeP9KVHu19A3PpIgThwwqeiJN+QyxSIPfwk82GfflxpXeb256hv7xvqn\n"
|
||||
"2YQ0sI5UgU9aQBOZbktxRprTBipqZJbX07oLVCgRuZtm3aCTCIPVQLVGGv7wSjs8\n"
|
||||
"63jQsO/52mTKHz5AAXamWKuX197OJANBWPQyk3u3+OvV8tSaetC7yuezfQUHw0ca\n"
|
||||
"CgAUCit6bX02EKAb0ZZbKzGWEyBhbiw+EICWvRQktX+5S+LnVntBSx2e4zHfAcoA\n"
|
||||
"KKZ6e0OZbvHaPkBOZQIDAQABo4IBRjCCAUIwHQYDVR0OBBYEFGVwYqcQVpFvjH95\n"
|
||||
"ipLd5tgdCpjaMB8GA1UdIwQYMBaAFHzCjb5uWdhKVANGmxMIANL48G0nMEMGA1Ud\n"
|
||||
"IAEB/wQ5MDcwNQYEVR0gADAtMCsGCCsGAQUFBwIBFh9odHRwOi8vc3ctY2VudGVy\n"
|
||||
"LnN0LmNvbS9TVFNBRkUvMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\n"
|
||||
"AgEAMFAGCCsGAQUFBwEBBEQwQjBABggrBgEFBQcwAoY0aHR0cDovL3N3LWNlbnRl\n"
|
||||
"ci5zdC5jb20vU1RTQUZFL1NUU0FGRVJzYVJvb3RDQTAyLmNydDBFBgNVHR8EPjA8\n"
|
||||
"MDqgOKA2hjRodHRwOi8vc3ctY2VudGVyLnN0LmNvbS9TVFNBRkUvU1RTQUZFUnNh\n"
|
||||
"Um9vdENBMDIuY3JsMA0GCSqGSIb3DQEBDAUAA4ICAQCATjBOFHEiOfz5pGvjB0GR\n"
|
||||
"aRSOMQI/kccR5FBSrsJV3wVhnEBA9WPc9sMZ5VarDiNpSYWihtyFAe72QWqsRar6\n"
|
||||
"oRYAHvwsRio2l5W6GbCe50cbdvaOQlVC5wHQnP+kywdOUyK0VRKGP5qJhgS6Ze8v\n"
|
||||
"0Ppc6f1UsxNHWmI1uy1oVGjF+Vl3d23EDz6G2BLRwzzMsNKZ6MM0xfNh8Us4Qvpj\n"
|
||||
"Dfm+ysmX7wKYoJBAcxipaFDAEzNGLScagsJ9UvJ5whEyxvG1TrvPyvM/b+aU7H8B\n"
|
||||
"aBNIsUdVKwfwkVHQah4Cyd3aXultFhJoTT44HiM6kYqfe+tPd3KbqxhEobAbFyZV\n"
|
||||
"Eot3CYMQV+ZVK5xfG4Te7s9rE6HLeGGP3vWlOTtVCsMWG39FfVz+4oshygXk8c6G\n"
|
||||
"rAUWSD2A96z0N4eg4MKemGmE56zaQx65jfjk5HiFDsf+A7zMAZ0P61FVUZ/GWLJY\n"
|
||||
"6SicMpev12sGN4tUkqZOabgZEAzxdnaKrWUSOFVVE8e6l+TnQKS/xGDyCu0ANOPR\n"
|
||||
"qMLM3x5Kx9kVZ8kGYs+8FRiVXx61WVJHztmfJmcUQirroIJZuEwAJYTt576sOQxH\n"
|
||||
"U9R2VOyUgNRAdwYSvy6PU7IjDjMuTYaeMyJCJGFRcnFk/QqbHXFI4eNN5gtDKhT7\n"
|
||||
"uKErQfPEhjYLdzF8/OYW7w==\n"
|
||||
"-----END CERTIFICATE-----\n",
|
||||
|
||||
};
|
||||
|
||||
#endif /* WOLFTPM_TRUSTED_CERTS_H */
|
||||
|
|
@ -17,6 +17,7 @@ include examples/gpio/include.am
|
|||
include examples/seal/include.am
|
||||
include examples/attestation/include.am
|
||||
include examples/firmware/include.am
|
||||
include examples/endorsement/include.am
|
||||
|
||||
if BUILD_EXAMPLES
|
||||
EXTRA_DIST += examples/run_examples.sh
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ static void usage(void)
|
|||
printf("* -priv: Read ony the private part\n");
|
||||
printf("* -pub: Read only the public part\n");
|
||||
printf("* -aes/xor: Use Parameter Encryption\n");
|
||||
printf("* -endorsement/platform/owner: Auth hierarchy\n");
|
||||
}
|
||||
|
||||
int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
|
||||
|
|
@ -68,7 +69,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
|
|||
WOLFTPM2_NV nv;
|
||||
TPM2B_AUTH auth;
|
||||
word32 readSize;
|
||||
TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER; /* or TPM_RH_PLATFORM */
|
||||
TPMI_RH_NV_AUTH authHandle = TPM_RH_OWNER;
|
||||
int paramEncAlg = TPM_ALG_NULL;
|
||||
int partialRead = 0;
|
||||
int offset = 0;
|
||||
|
|
@ -89,13 +90,7 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
|
|||
if (XSTRNCMP(argv[argc-1], "-nvindex=", XSTRLEN("-nvindex=")) == 0) {
|
||||
const char* nvIndexStr = argv[argc-1] + XSTRLEN("-nvindex=");
|
||||
nvIndex = (word32)XSTRTOL(nvIndexStr, NULL, 0);
|
||||
if (!(authHandle == TPM_RH_PLATFORM && (
|
||||
nvIndex > TPM_20_PLATFORM_MFG_NV_SPACE &&
|
||||
nvIndex < TPM_20_OWNER_NV_SPACE)) &&
|
||||
!(authHandle == TPM_RH_OWNER && (
|
||||
nvIndex > TPM_20_OWNER_NV_SPACE &&
|
||||
nvIndex < TPM_20_TCG_NV_SPACE)))
|
||||
{
|
||||
if (nvIndex < NV_INDEX_FIRST || nvIndex > NV_INDEX_LAST) {
|
||||
fprintf(stderr, "Invalid NV Index %s\n", nvIndexStr);
|
||||
fprintf(stderr, "\tPlatform Range: 0x%x -> 0x%x\n",
|
||||
TPM_20_PLATFORM_MFG_NV_SPACE, TPM_20_OWNER_NV_SPACE);
|
||||
|
|
@ -105,6 +100,15 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
|
|||
return -1;
|
||||
}
|
||||
}
|
||||
else if (XSTRCMP(argv[argc-1], "-endorsement") == 0) {
|
||||
authHandle = TPM_RH_ENDORSEMENT;
|
||||
}
|
||||
else if (XSTRCMP(argv[argc-1], "-platform") == 0) {
|
||||
authHandle = TPM_RH_PLATFORM;
|
||||
}
|
||||
else if (XSTRCMP(argv[argc-1], "-owner") == 0) {
|
||||
authHandle = TPM_RH_OWNER;
|
||||
}
|
||||
else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
|
||||
paramEncAlg = TPM_ALG_CFB;
|
||||
}
|
||||
|
|
@ -123,14 +127,19 @@ int TPM2_NVRAM_Read_Example(void* userCtx, int argc, char *argv[])
|
|||
argc--;
|
||||
}
|
||||
|
||||
printf("NV Read\n");
|
||||
printf("\tNV Index: 0x%08x\n", nvIndex);
|
||||
printf("\tAuth: %s\n",
|
||||
(authHandle == TPM_RH_ENDORSEMENT) ? "Endorsement" :
|
||||
(authHandle == TPM_RH_PLATFORM) ? "Platform" : "Owner");
|
||||
if (paramEncAlg == TPM_ALG_CFB) {
|
||||
printf("Parameter Encryption: Enabled. (AES CFB)\n\n");
|
||||
printf("\tParameter Encryption: Enabled. (AES CFB)\n\n");
|
||||
}
|
||||
else if (paramEncAlg == TPM_ALG_XOR) {
|
||||
printf("Parameter Encryption: Enabled. (XOR)\n\n");
|
||||
printf("\tParameter Encryption: Enabled. (XOR)\n\n");
|
||||
}
|
||||
else {
|
||||
printf("Parameter Encryption: Not enabled (try -aes or -xor).\n\n");
|
||||
printf("\tParameter Encryption: Not enabled (try -aes or -xor).\n\n");
|
||||
}
|
||||
|
||||
XMEMSET(&keyBlob, 0, sizeof(keyBlob));
|
||||
|
|
|
|||
|
|
@ -600,6 +600,13 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
|
|||
|
||||
fi
|
||||
|
||||
# Endorsement key and certificate
|
||||
echo -e "Endorsement Key (EK) and Certificate"
|
||||
./examples/endorsement/get_ek_certs >> run.out 2>&1
|
||||
RESULT=$?
|
||||
[ $RESULT -ne 0 ] && echo -e "get_ek_certs failed! $RESULT" && exit 1
|
||||
|
||||
|
||||
rm -f keyblob.bin
|
||||
|
||||
echo -e "Success!"
|
||||
|
|
|
|||
|
|
@ -29,7 +29,8 @@
|
|||
#include <stdio.h>
|
||||
|
||||
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) && \
|
||||
(defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS))
|
||||
|
||||
#include <hal/tpm_io.h>
|
||||
#include <examples/tpm_test.h>
|
||||
|
|
@ -633,7 +634,8 @@ int main(int argc, char* argv[])
|
|||
int rc = -1;
|
||||
|
||||
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY)
|
||||
!defined(NO_WOLFSSL_CLIENT) && !defined(WOLFCRYPT_ONLY) && \
|
||||
(defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS))
|
||||
rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
|
||||
#else
|
||||
(void)argc;
|
||||
|
|
|
|||
|
|
@ -29,7 +29,8 @@
|
|||
#include <stdio.h>
|
||||
|
||||
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY)
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) && \
|
||||
(defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS))
|
||||
|
||||
#include <hal/tpm_io.h>
|
||||
#include <examples/tpm_test.h>
|
||||
|
|
@ -623,7 +624,8 @@ int main(int argc, char* argv[])
|
|||
int rc = -1;
|
||||
|
||||
#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY)
|
||||
!defined(NO_WOLFSSL_SERVER) && !defined(WOLFCRYPT_ONLY) && \
|
||||
(defined(WOLFTPM_CRYPTOCB) || defined(HAVE_PK_CALLBACKS))
|
||||
rc = TPM2_TLS_ServerArgs(NULL, argc, argv);
|
||||
#else
|
||||
(void)argc;
|
||||
|
|
|
|||
|
|
@ -5495,8 +5495,6 @@ int TPM2_IFX_FieldUpgradeCommand(TPM_CC cc, uint8_t* data, uint32_t size)
|
|||
}
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
||||
#endif /* WOLFTPM_SLB9672 || WOLFTPM_SLB9673 */
|
||||
#endif /* WOLFTPM_FIRMWARE_UPGRADE */
|
||||
|
||||
|
|
@ -6004,6 +6002,10 @@ int TPM2_GetTpmCurve(int curve_id)
|
|||
case ECC_SECP521R1:
|
||||
ret = TPM_ECC_NIST_P521;
|
||||
break;
|
||||
case ECC_BRAINPOOLP256R1:
|
||||
ret = TPM_ECC_BN_P256;
|
||||
break;
|
||||
case TPM_ECC_BN_P638:
|
||||
default:
|
||||
ret = ECC_CURVE_OID_E;
|
||||
}
|
||||
|
|
@ -6033,7 +6035,10 @@ int TPM2_GetWolfCurve(int curve_id)
|
|||
ret = ECC_SECP521R1;
|
||||
break;
|
||||
case TPM_ECC_BN_P256:
|
||||
ret = ECC_BRAINPOOLP256R1;
|
||||
break;
|
||||
case TPM_ECC_BN_P638:
|
||||
default:
|
||||
ret = ECC_CURVE_OID_E;
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
174
src/tpm2_wrap.c
174
src/tpm2_wrap.c
|
|
@ -1413,6 +1413,12 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm
|
|||
hashType = WC_HASH_TYPE_SHA256;
|
||||
mgf = WC_MGF1SHA256;
|
||||
}
|
||||
#ifdef WOLFSSL_SHA384
|
||||
else if (publicArea->nameAlg == TPM_ALG_SHA384) {
|
||||
hashType = WC_HASH_TYPE_SHA384;
|
||||
mgf = WC_MGF1SHA384;
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
return NOT_COMPILED_IN;
|
||||
}
|
||||
|
|
@ -5711,7 +5717,8 @@ int GetKeyTemplateRSA(TPMT_PUBLIC* publicTemplate,
|
|||
((objectAttributes & TPMA_OBJECT_decrypt) &&
|
||||
(objectAttributes & TPMA_OBJECT_restricted))) {
|
||||
publicTemplate->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
|
||||
publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes = 128;
|
||||
publicTemplate->parameters.rsaDetail.symmetric.keyBits.aes =
|
||||
(keyBits > 2048) ? 256 : 128;
|
||||
publicTemplate->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
|
||||
}
|
||||
else {
|
||||
|
|
@ -5750,7 +5757,8 @@ int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate,
|
|||
((objectAttributes & TPMA_OBJECT_decrypt) &&
|
||||
(objectAttributes & TPMA_OBJECT_restricted))) {
|
||||
publicTemplate->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
|
||||
publicTemplate->parameters.eccDetail.symmetric.keyBits.aes = 128;
|
||||
publicTemplate->parameters.eccDetail.symmetric.keyBits.aes =
|
||||
(curveSz >= 48) ? 256 : 128;
|
||||
publicTemplate->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
|
||||
}
|
||||
else {
|
||||
|
|
@ -5857,40 +5865,154 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name
|
|||
return TPM_RC_SUCCESS;
|
||||
}
|
||||
|
||||
int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate)
|
||||
int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
|
||||
int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange)
|
||||
{
|
||||
int ret;
|
||||
int rc;
|
||||
TPMA_OBJECT objectAttributes = (
|
||||
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
|
||||
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy |
|
||||
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt);
|
||||
|
||||
ret = GetKeyTemplateRSA(publicTemplate, TPM_ALG_SHA256,
|
||||
objectAttributes, 2048, 0, TPM_ALG_NULL, TPM_ALG_NULL);
|
||||
if (ret == 0) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
|
||||
if (highRange) {
|
||||
/* High range requires userWithAuth=1 */
|
||||
objectAttributes |= TPMA_OBJECT_userWithAuth;
|
||||
}
|
||||
return ret;
|
||||
|
||||
if (alg == TPM_ALG_RSA) {
|
||||
rc = GetKeyTemplateRSA(publicTemplate, nameAlg,
|
||||
objectAttributes, keyBits, 0, TPM_ALG_NULL, TPM_ALG_NULL);
|
||||
if (rc == 0 && highRange) { /* high range uses 0 unique size */
|
||||
publicTemplate->unique.rsa.size = 0;
|
||||
}
|
||||
}
|
||||
else if (alg == TPM_ALG_ECC) {
|
||||
rc = GetKeyTemplateECC(publicTemplate, nameAlg,
|
||||
objectAttributes, curveID, TPM_ALG_NULL, TPM_ALG_NULL);
|
||||
if (rc == 0 && highRange) { /* high range uses 0 unique size */
|
||||
publicTemplate->unique.ecc.x.size = 0;
|
||||
publicTemplate->unique.ecc.y.size = 0;
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
rc = BAD_FUNC_ARG; /* not supported */
|
||||
}
|
||||
|
||||
if (rc == 0) {
|
||||
if (nameAlg == TPM_ALG_SHA256 && !highRange) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
|
||||
}
|
||||
else if (nameAlg == TPM_ALG_SHA256) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size);
|
||||
}
|
||||
#ifdef WOLFSSL_SHA384
|
||||
else if (nameAlg == TPM_ALG_SHA384) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY_SHA384, publicTemplate->authPolicy.size);
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHA512
|
||||
else if (nameAlg == TPM_ALG_SHA512) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA512);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY_SHA512, publicTemplate->authPolicy.size);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex,
|
||||
TPMT_PUBLIC* publicTemplate)
|
||||
{
|
||||
TPM_ALG_ID alg = TPM_ALG_NULL;
|
||||
TPM_ALG_ID nameAlg = TPM_ALG_NULL;
|
||||
TPM_ECC_CURVE curveID = TPM_ECC_NONE;
|
||||
uint32_t keyBits = 0;
|
||||
int highRange = 0;
|
||||
|
||||
/* validate index is in NV EK range */
|
||||
if (nvIndex < TPM_20_TCG_NV_SPACE ||
|
||||
nvIndex > TPM_20_TCG_NV_SPACE + 0x1FF) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
/* determine if low or high range */
|
||||
if (nvIndex >= TPM2_NV_EK_RSA2048) {
|
||||
highRange = 1;
|
||||
}
|
||||
|
||||
/* Determine algorithm based on index */
|
||||
switch (nvIndex) {
|
||||
case TPM2_NV_RSA_EK_CERT: /* EK (Low Range): RSA 2048 */
|
||||
case TPM2_NV_EK_RSA2048: /* EK (High Range) */
|
||||
alg = TPM_ALG_RSA;
|
||||
nameAlg = TPM_ALG_SHA256;
|
||||
keyBits = 2048;
|
||||
break;
|
||||
case TPM2_NV_EK_RSA3072:
|
||||
alg = TPM_ALG_RSA;
|
||||
nameAlg = TPM_ALG_SHA384;
|
||||
keyBits = 3072;
|
||||
break;
|
||||
case TPM2_NV_EK_RSA4096:
|
||||
alg = TPM_ALG_RSA;
|
||||
nameAlg = TPM_ALG_SHA512;
|
||||
keyBits = 4096;
|
||||
break;
|
||||
case TPM2_NV_ECC_EK_CERT: /* EK (Low Range): ECC P256 */
|
||||
case TPM2_NV_EK_ECC_P256: /* EK (High Range) */
|
||||
alg = TPM_ALG_ECC;
|
||||
curveID = TPM_ECC_NIST_P256;
|
||||
nameAlg = TPM_ALG_SHA256;
|
||||
keyBits = 256;
|
||||
break;
|
||||
case TPM2_NV_EK_ECC_P384:
|
||||
alg = TPM_ALG_ECC;
|
||||
curveID = TPM_ECC_NIST_P384;
|
||||
nameAlg = TPM_ALG_SHA384;
|
||||
keyBits = 384;
|
||||
break;
|
||||
case TPM2_NV_EK_ECC_P521:
|
||||
alg = TPM_ALG_ECC;
|
||||
curveID = TPM_ECC_NIST_P521;
|
||||
nameAlg = TPM_ALG_SHA512;
|
||||
keyBits = 521;
|
||||
break;
|
||||
case TPM2_NV_EK_ECC_SM2:
|
||||
alg = TPM_ALG_SM2;
|
||||
curveID = TPM_ECC_SM2_P256;
|
||||
nameAlg = TPM_ALG_SHA256;
|
||||
keyBits = 256;
|
||||
break;
|
||||
default:
|
||||
alg = TPM_ALG_NULL;
|
||||
curveID = TPM_ECC_NONE;
|
||||
nameAlg = TPM_ALG_NULL;
|
||||
keyBits = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
return wolfTPM2_GetKeyTemplate_EK(publicTemplate, alg, keyBits, curveID,
|
||||
nameAlg, highRange);
|
||||
}
|
||||
|
||||
int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate)
|
||||
{
|
||||
return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_RSA, 2048,
|
||||
TPM_ALG_NULL, TPM_ALG_SHA256, 0);
|
||||
}
|
||||
|
||||
int wolfTPM2_GetKeyTemplate_ECC_EK(TPMT_PUBLIC* publicTemplate)
|
||||
{
|
||||
int ret;
|
||||
TPMA_OBJECT objectAttributes = (
|
||||
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
|
||||
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_adminWithPolicy |
|
||||
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt);
|
||||
|
||||
ret = GetKeyTemplateECC(publicTemplate, TPM_ALG_SHA256,
|
||||
objectAttributes, TPM_ECC_NIST_P256, TPM_ALG_NULL, TPM_ALG_NULL);
|
||||
if (ret == 0) {
|
||||
publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
|
||||
XMEMCPY(publicTemplate->authPolicy.buffer,
|
||||
TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
|
||||
}
|
||||
return ret;
|
||||
return wolfTPM2_GetKeyTemplate_EK(publicTemplate, TPM_ALG_ECC, 256,
|
||||
TPM_ECC_NIST_P256, TPM_ALG_SHA256, 0);
|
||||
}
|
||||
|
||||
int wolfTPM2_GetKeyTemplate_RSA_SRK(TPMT_PUBLIC* publicTemplate)
|
||||
|
|
|
|||
|
|
@ -1649,18 +1649,67 @@ typedef struct TPM2_AUTH_SESSION {
|
|||
#define TPM_20_OWNER_NV_SPACE ((TPM_HT_NV_INDEX << 24) | (0x02 << 22))
|
||||
#define TPM_20_TCG_NV_SPACE ((TPM_HT_NV_INDEX << 24) | (0x03 << 22))
|
||||
|
||||
#define TPM_20_NV_INDEX_EK_CERTIFICATE (TPM_20_PLATFORM_MFG_NV_SPACE + 2)
|
||||
#define TPM_20_NV_INDEX_EK_NONCE (TPM_20_PLATFORM_MFG_NV_SPACE + 3)
|
||||
#define TPM_20_NV_INDEX_EK_TEMPLATE (TPM_20_PLATFORM_MFG_NV_SPACE + 4)
|
||||
/* EK (Low Range): RSA 2048 */
|
||||
#define TPM2_NV_RSA_EK_CERT (TPM_20_TCG_NV_SPACE + 0x2)
|
||||
#define TPM2_NV_RSA_EK_NONCE (TPM_20_TCG_NV_SPACE + 0x3)
|
||||
#define TPM2_NV_RSA_EK_TEMPLATE (TPM_20_TCG_NV_SPACE + 0x4)
|
||||
|
||||
/* Predetermined TPM 2.0 Endorsement policy auth template for SHA2-256 */
|
||||
/* EK (Low Range): ECC P256 */
|
||||
#define TPM2_NV_ECC_EK_CERT (TPM_20_TCG_NV_SPACE + 0xA)
|
||||
#define TPM2_NV_ECC_EK_NONCE (TPM_20_TCG_NV_SPACE + 0xB)
|
||||
#define TPM2_NV_ECC_EK_TEMPLATE (TPM_20_TCG_NV_SPACE + 0xC)
|
||||
|
||||
/* EK (High Range) */
|
||||
#define TPM2_NV_EK_RSA2048 (TPM_20_TCG_NV_SPACE + 0x12)
|
||||
#define TPM2_NV_EK_ECC_P256 (TPM_20_TCG_NV_SPACE + 0x14)
|
||||
#define TPM2_NV_EK_ECC_P384 (TPM_20_TCG_NV_SPACE + 0x16)
|
||||
#define TPM2_NV_EK_ECC_P521 (TPM_20_TCG_NV_SPACE + 0x18)
|
||||
#define TPM2_NV_EK_ECC_SM2 (TPM_20_TCG_NV_SPACE + 0x1A)
|
||||
#define TPM2_NV_EK_RSA3072 (TPM_20_TCG_NV_SPACE + 0x1C)
|
||||
#define TPM2_NV_EK_RSA4096 (TPM_20_TCG_NV_SPACE + 0x1E)
|
||||
|
||||
/* EK Certificate Chains (0x100 - 0x1FF) - Not common */
|
||||
#define TPM2_NV_EK_CHAIN (TPM_20_TCG_NV_SPACE + 0x100)
|
||||
|
||||
/* Predetermined TPM 2.0 Endorsement policy auth templates */
|
||||
/* SHA256 (Low Range) */
|
||||
static const BYTE TPM_20_EK_AUTH_POLICY[] = {
|
||||
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xb3, 0xf8, 0x1a, 0x90, 0xcc,
|
||||
0x8d, 0x46, 0xa5, 0xd7, 0x24, 0xfd, 0x52, 0xd7, 0x6e, 0x06, 0x52,
|
||||
0x0b, 0x64, 0xf2, 0xa1, 0xda, 0x1b, 0x33, 0x14, 0x69, 0xaa,
|
||||
0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8,
|
||||
0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
|
||||
0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
|
||||
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA
|
||||
};
|
||||
|
||||
|
||||
/* SHA256 (PolicyB - High Range) */
|
||||
static const BYTE TPM_20_EK_AUTH_POLICY_SHA256[] = {
|
||||
0xCA, 0x3D, 0x0A, 0x99, 0xA2, 0xB9, 0x39, 0x06,
|
||||
0xF7, 0xA3, 0x34, 0x24, 0x14, 0xEF, 0xCF, 0xB3,
|
||||
0xA3, 0x85, 0xD4, 0x4C, 0xD1, 0xFD, 0x45, 0x90,
|
||||
0x89, 0xD1, 0x9B, 0x50, 0x71, 0xC0, 0xB7, 0xA0
|
||||
};
|
||||
#ifdef WOLFSSL_SHA384
|
||||
/* SHA384 (PolicyB - High Range) */
|
||||
static const BYTE TPM_20_EK_AUTH_POLICY_SHA384[] = {
|
||||
0xB2, 0x6E, 0x7D, 0x28, 0xD1, 0x1A, 0x50, 0xBC,
|
||||
0x53, 0xD8, 0x82, 0xBC, 0xF5, 0xFD, 0x3A, 0x1A,
|
||||
0x07, 0x41, 0x48, 0xBB, 0x35, 0xD3, 0xB4, 0xE4,
|
||||
0xCB, 0x1C, 0x0A, 0xD9, 0xBD, 0xE4, 0x19, 0xCA,
|
||||
0xCB, 0x47, 0xBA, 0x09, 0x69, 0x96, 0x46, 0x15,
|
||||
0x0F, 0x9F, 0xC0, 0x00, 0xF3, 0xF8, 0x0E, 0x12
|
||||
};
|
||||
#endif
|
||||
#ifdef WOLFSSL_SHA512
|
||||
/* SHA512 (PolicyB - High Range) */
|
||||
static const BYTE TPM_20_EK_AUTH_POLICY_SHA512[] = {
|
||||
0xB8, 0x22, 0x1C, 0xA6, 0x9E, 0x85, 0x50, 0xA4,
|
||||
0x91, 0x4D, 0xE3, 0xFA, 0xA6, 0xA1, 0x8C, 0x07,
|
||||
0x2C, 0xC0, 0x12, 0x08, 0x07, 0x3A, 0x92, 0x8D,
|
||||
0x5D, 0x66, 0xD5, 0x9E, 0xF7, 0x9E, 0x49, 0xA4,
|
||||
0x29, 0xC4, 0x1A, 0x6B, 0x26, 0x95, 0x71, 0xD5,
|
||||
0x7E, 0xDB, 0x25, 0xFB, 0xDB, 0x18, 0x38, 0x42,
|
||||
0x56, 0x08, 0xB4, 0x13, 0xCD, 0x61, 0x6A, 0x5F,
|
||||
0x6D, 0xB5, 0xB6, 0x07, 0x1A, 0xF9, 0x9B, 0xEA
|
||||
};
|
||||
#endif
|
||||
|
||||
/* HAL IO Callbacks */
|
||||
struct TPM2_CTX;
|
||||
|
|
|
|||
|
|
@ -134,10 +134,6 @@ typedef struct WOLFTPM2_CAPS {
|
|||
word16 req_wait_state : 1; /* requires SPI wait state */
|
||||
} WOLFTPM2_CAPS;
|
||||
|
||||
/* NV Handles */
|
||||
#define TPM2_NV_RSA_EK_CERT 0x01C00002
|
||||
#define TPM2_NV_ECC_EK_CERT 0x01C0000A
|
||||
|
||||
|
||||
/* Wrapper API's to simplify TPM use */
|
||||
|
||||
|
|
@ -2678,6 +2674,46 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeyedHash(TPMT_PUBLIC* publicTemplate,
|
|||
*/
|
||||
WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID nameAlg);
|
||||
|
||||
/*!
|
||||
\ingroup wolfTPM2_Wrappers
|
||||
\brief Prepares a TPM public template for generating the TPM Endorsement Key
|
||||
|
||||
\return TPM_RC_SUCCESS: successful
|
||||
\return BAD_FUNC_ARG: check the provided arguments
|
||||
|
||||
\param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template
|
||||
\param alg can be only TPM_ALG_RSA or TPM_ALG_ECC, see Note above
|
||||
\param keyBits integer value, specifying bits for the key, typically 2048 (RSA) or 256 (ECC)
|
||||
\param curveId use one of the accepted TPM_ECC_CURVE values like TPM_ECC_NIST_P256 (only used when alg=TPM_ALG_ECC)
|
||||
\param nameAlg integer value of TPMI_ALG_HASH type, specifying a valid TPM2 hashing algorithm (typically TPM_ALG_SHA256)
|
||||
\param highRange integer value: 0=low range, 1=high range
|
||||
|
||||
\sa wolfTPM2_GetKeyTemplate_ECC_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_SRK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_AIK
|
||||
\sa wolfTPM2_GetKeyTemplate_EKIndex
|
||||
*/
|
||||
WOLFTPM_API int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
|
||||
int keyBits, TPM_ECC_CURVE curveID, TPM_ALG_ID nameAlg, int highRange);
|
||||
|
||||
/*!
|
||||
\ingroup wolfTPM2_Wrappers
|
||||
\brief Helper to get the Endorsement public key template by NV index
|
||||
|
||||
\return TPM_RC_SUCCESS: successful
|
||||
\return BAD_FUNC_ARG: check the provided arguments
|
||||
|
||||
\param nvIndex handle for NV index. Typically starting from TPM_20_TCG_NV_SPACE
|
||||
\param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template
|
||||
|
||||
\sa wolfTPM2_GetKeyTemplate_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_ECC_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_SRK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_AIK
|
||||
*/
|
||||
WOLFTPM_API int wolfTPM2_GetKeyTemplate_EKIndex(word32 nvIndex,
|
||||
TPMT_PUBLIC* publicTemplate);
|
||||
|
||||
/*!
|
||||
\ingroup wolfTPM2_Wrappers
|
||||
\brief Prepares a TPM public template for generating the TPM Endorsement Key of RSA type
|
||||
|
|
@ -2687,6 +2723,7 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM
|
|||
|
||||
\param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template
|
||||
|
||||
\sa wolfTPM2_GetKeyTemplate_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_ECC_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_SRK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_AIK
|
||||
|
|
@ -2702,6 +2739,7 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA_EK(TPMT_PUBLIC* publicTemplate);
|
|||
|
||||
\param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new template
|
||||
|
||||
\sa wolfTPM2_GetKeyTemplate_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_RSA_EK
|
||||
\sa wolfTPM2_GetKeyTemplate_ECC_SRK
|
||||
\sa wolfTPM2_GetKeyTemplate_ECC_AIK
|
||||
|
|
|
|||
Loading…
Reference in New Issue