WolfSSL
/
wolfTPM
mirror of https://github.com/wolfSSL/wolfTPM.git
1
0
Fork 0
Code Issues Releases Wiki Activity

EK Cert Verification with TPM only (no wolfCrypt). Example assumes ST33KTPM2X. `./configure --disable-wolfcrypt && make && ./examples/endorsement/verify_ek_cert`

pull/394/head
David Garske 2025-01-23 16:02:28 -08:00
parent bcf2647ebc
commit c42fff4f7f
8 changed files with 1085 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -84,6 +84,7 @@ examples/boot/secret_unseal
examples/firmware/ifx_fw_extract
examples/firmware/ifx_fw_update
examples/endorsement/get_ek_certs
examples/endorsement/verify_ek_cert
# Generated Cert Files
certs/ca-*.pem

236
examples/endorsement/README.md
View File

@ -44,3 +44,239 @@ Example:
- STSAFE-TPM RSA intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmrsaint10.crt)
- STSAFE ECC root CA 02 (http://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt)
- STSAFE-TPM ECC intermediate CA 10 (http://sw-center.st.com/STSAFE/stsafetpmeccint10.crt)
Sample Output:
```
$ ./examples/endorsement/verify_ek_cert
Endorsement Certificate Verify
TPM2: Caps 0x30000415, Did 0x0004, Vid 0x104a, Rid 0x 1
TPM2_Startup pass
TPM2_NV_ReadPublic: Sz 14, Idx 0x1c00002, nameAlg 11, Attr 0x62076801, authPol 0, dataSz 1300, name 34
TPM2_NV_ReadPublic: Sz 14, Idx 0x1c00002, nameAlg 11, Attr 0x62076801, authPol 0, dataSz 1300, name 34
TPM2_NV_Read: Auth 0x1c00002, Idx 0x1c00002, Offset 0, Size 768
TPM2_NV_Read: Auth 0x1c00002, Idx 0x1c00002, Offset 768, Size 532
EK Data: 1300
30 82 05 10 30 82 02 f8 a0 03 02 01 02 02 14 58 | 0...0..........X
63 86 17 74 73 22 ca 34 60 4a f6 cf d9 b4 44 9e | c..ts".4`J....D.
4b ba 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c | K..0...*.H......
05 00 30 59 31 0b 30 09 06 03 55 04 06 13 02 43 | ..0Y1.0...U....C
48 31 1e 30 1c 06 03 55 04 0a 13 15 53 54 4d 69 | H1.0...U....STMi
63 72 6f 65 6c 65 63 74 72 6f 6e 69 63 73 20 4e | croelectronics N
56 31 2a 30 28 06 03 55 04 03 13 21 53 54 53 41 | V1*0(..U...!STSA
46 45 20 54 50 4d 20 52 53 41 20 49 6e 74 65 72 | FE TPM RSA Inter
6d 65 64 69 61 74 65 20 43 41 20 32 30 30 20 17 | mediate CA 200 .
0d 32 33 30 36 30 31 30 39 34 39 33 35 5a 18 0f | .230601094935Z..
39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a 30 | 99991231235959Z0
00 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 | .0.."0...*.H....
01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 | .........0......
01 00 b3 20 db 1a 10 d2 16 8c 5d 92 c0 47 87 b1 | ... ......]..G..
dc ae af 5b f2 44 15 dd 84 9a 17 3f c6 76 61 29 | ...[.D.....?.va)
c6 c3 4c e5 50 27 a2 26 8b fd e0 9d 34 09 93 0f | ..L.P'.&....4...
64 6a b0 46 f5 5b 19 1c 14 45 b7 24 d3 a9 a5 7d | dj.F.[...E.$...}
4c a7 0a ba cc d4 72 a2 18 2e 1a 20 a5 33 6f 5f | L.....r.... .3o_
f5 21 10 bf db af 74 7f 97 93 46 64 40 16 c2 e9 | .!....t...Fd@...
8f cc e0 f2 4a 94 29 4e 73 87 6f a4 bb c8 f3 e1 | ....J.)Ns.o.....
02 35 12 c9 c7 e8 4c f2 59 94 5f d2 5a ca 35 48 | .5....L.Y._.Z.5H
e3 0d 59 90 41 33 10 cd 4b f5 ff a7 0c 4e 94 ce | ..Y.A3..K....N..
86 45 fb 89 aa b4 76 10 8e ed 90 1e bf b9 6b 88 | .E....v.......k.
df 5a 1a b7 b5 cb a8 80 ff cf 4d a8 c1 05 b6 15 | .Z........M.....
49 8d 22 74 29 56 95 56 e5 1d 4f 31 44 da 77 3c | I."t)V.V..O1D.w<
a7 46 a3 e2 d5 ee 18 51 0c 9c 51 52 49 ff d1 ba | .F.....Q..QRI...
4f cd 33 42 0d 8e e9 c8 da a0 ff 10 02 0d dd e4 | O.3B............
fa 49 21 98 e9 28 c7 c5 25 ac 7b 90 91 99 fb 99 | .I!..(..%.{.....
36 63 dc 50 98 fa fd 32 37 c2 08 9c 43 fc 59 d6 | 6c.P...27...C.Y.
27 5f 02 03 01 00 01 a3 82 01 25 30 82 01 21 30 | '_........%0..!0
1f 06 03 55 1d 23 04 18 30 16 80 14 8f e0 78 f8 | ...U.#..0.....x.
ca 88 59 fe fe 3f 7a 98 37 2c fc 02 c6 08 44 49 | ..Y..?z.7,....DI
30 58 06 03 55 1d 11 01 01 ff 04 4e 30 4c a4 4a | 0X..U......N0L.J
30 48 31 16 30 14 06 05 67 81 05 02 01 0c 0b 69 | 0H1.0...g......i
64 3a 35 33 35 34 34 44 32 30 31 16 30 14 06 05 | d:53544D201.0...
67 81 05 02 02 0c 0b 53 54 33 33 4b 54 50 4d 32 | g......ST33KTPM2
41 49 31 16 30 14 06 05 67 81 05 02 03 0c 0b 69 | AI1.0...g......i
64 3a 30 30 30 41 30 31 30 31 30 22 06 03 55 1d | d:000A01010"..U.
09 04 1b 30 19 30 17 06 05 67 81 05 02 10 31 0e | ...0.0...g....1.
30 0c 0c 03 32 2e 30 02 01 00 02 02 00 9f 30 0c | 0...2.0.......0.
06 03 55 1d 13 01 01 ff 04 02 30 00 30 10 06 03 | ..U.......0.0...
55 1d 25 04 09 30 07 06 05 67 81 05 08 01 30 0e | U.%..0...g....0.
06 03 55 1d 0f 01 01 ff 04 04 03 02 05 20 30 50 | ..U.......... 0P
06 08 2b 06 01 05 05 07 01 01 04 44 30 42 30 40 | ..+........D0B0@
06 08 2b 06 01 05 05 07 30 02 86 34 68 74 74 70 | ..+.....0..4http
3a 2f 2f 73 77 2d 63 65 6e 74 65 72 2e 73 74 2e | ://sw-center.st.
63 6f 6d 2f 53 54 53 41 46 45 2f 73 74 73 61 66 | com/STSAFE/stsaf
65 74 70 6d 72 73 61 69 6e 74 32 30 2e 63 72 74 | etpmrsaint20.crt
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 03 | 0...*.H.........
82 02 01 00 b5 7a 68 4d aa d5 3a bf a2 6a 6f 1d | .....zhM..:..jo.
1a 5e 35 74 47 f4 b7 ee a0 63 8e 08 42 8c a3 80 | .^5tG....c..B...
3a 91 8e 92 1a 22 73 c8 a6 07 61 42 63 5f 4e c7 | :...."s...aBc_N.
17 dc 5e c2 51 73 13 51 0f 57 17 01 63 9e da b5 | ..^.Qs.Q.W..c...
4a fd 92 6d 0a 33 8b e4 dc 5f 63 96 7b 89 d3 3a | J..m.3..._c.{..:
99 29 ac f0 7c 0a 99 ea 9c 40 33 86 4b 55 30 03 | .)..|....@3.KU0.
24 41 05 f6 48 43 5f b9 39 b4 74 17 2c 71 bf 26 | $A..HC_.9.t.,q.&
f4 a3 7a 9f ae 80 0c 8b 92 c8 22 35 0f f8 64 da | ..z......."5..d.
50 b1 2f 5f e2 a4 19 32 a6 7e 74 bb 31 74 93 10 | P./_...2.~t.1t..
85 a2 5f 10 9f 1d 0c 57 90 d2 56 e4 70 7f 54 99 | .._....W..V.p.T.
87 c0 bd d7 8f c4 31 eb 9d bc cd ca 35 b2 64 d0 | ......1.....5.d.
ee 6b c8 e1 1b 34 bc 09 3f cd d1 f1 53 c2 18 dd | .k...4..?...S...
82 85 2e 6c 44 9b 21 df eb 7b 5b 8f 07 f5 61 34 | ...lD.!..{[...a4
25 e5 97 ee bd 01 2e 1c 35 53 00 b0 be 92 96 80 | %.......5S......
50 9b 6e e0 f3 e3 1d 0c 0a 99 96 cd 42 64 e4 43 | P.n.........Bd.C
6a 4a de c2 03 19 a2 a7 b6 fa 7d 25 37 04 53 30 | jJ........}%7.S0
3a 69 b2 38 6c c9 e9 e3 59 a4 8b 1e ae 62 5d eb | :i.8l...Y....b].
3c 85 e3 2f f1 cb 7b 3c 0d 2d bf 6e f0 9c 7c c9 | <../..{<.-.n..|.
c8 84 35 26 21 82 2a 83 f7 54 80 51 73 34 c2 7b | ..5&!.*..T.Qs4.{
2b 5d 32 b7 26 a6 8c b2 46 d6 c2 63 5c 38 0c 0b | +]2.&...F..c\8..
5e ba 81 ee 0b 55 c6 e7 ab 48 8d 6a e4 c7 ec 45 | ^....U...H.j...E
0d 46 b9 2e 8e a9 be e1 26 b4 79 b5 56 4c 2a dd | .F......&.y.VL*.
93 22 01 d5 2c ca bd c0 6a 30 ff 53 8c 08 98 22 | ."..,...j0.S..."
33 3c 78 a1 59 25 43 cc db e1 26 cc 55 7f bb 4b | 3<x.Y%C...&.U..K
fe 9f 3f d9 92 44 6d 72 a4 74 75 e4 f6 40 bf 3d | ..?..Dmr.tu..@.=
a4 b5 fb 78 39 2a 9d 5e 91 ba e4 67 50 5a 99 6e | ...x9*.^...gPZ.n
5a 53 56 4e ca aa a3 b3 55 28 f1 68 b5 c1 dc 3b | ZSVN....U(.h...;
78 20 5b 86 8e 54 84 8b 6e 3c fd 5a fb a4 4a 46 | x [..T..n<.Z..JF
ba 2e d0 47 c7 43 b9 65 8f b5 01 c6 c3 17 ce 34 | ...G.C.e.......4
3b 51 d5 ea c4 0a c2 cf 02 94 d6 1f 93 4c 43 79 | ;Q...........LCy
a9 44 fa f7 62 82 50 d5 2b 73 56 06 c1 16 b5 41 | .D..b.P.+sV....A
36 17 8b e4 8c 4a 25 fb e4 c9 dc 2e d3 f5 bc c9 | 6....J%.........
c2 6d c6 7d | .m.}
Creating Endorsement Key
TPM2_CreatePrimary: 0x80000000 (314 bytes)
Endorsement key loaded at handle 0x80000000
EK RSA, Hash: SHA256, objAttr: 0x300B2
KeyBits: 2048, exponent: 0x0, unique size 256
b3:20:db:1a:10:d2:16:8c:5d:92:c0:47:87:b1:dc:ae:
af:5b:f2:44:15:dd:84:9a:17:3f:c6:76:61:29:c6:c3:
4c:e5:50:27:a2:26:8b:fd:e0:9d:34:09:93:0f:64:6a:
b0:46:f5:5b:19:1c:14:45:b7:24:d3:a9:a5:7d:4c:a7:
0a:ba:cc:d4:72:a2:18:2e:1a:20:a5:33:6f:5f:f5:21:
10:bf:db:af:74:7f:97:93:46:64:40:16:c2:e9:8f:cc:
e0:f2:4a:94:29:4e:73:87:6f:a4:bb:c8:f3:e1:02:35:
12:c9:c7:e8:4c:f2:59:94:5f:d2:5a:ca:35:48:e3:0d:
59:90:41:33:10:cd:4b:f5:ff:a7:0c:4e:94:ce:86:45:
fb:89:aa:b4:76:10:8e:ed:90:1e:bf:b9:6b:88:df:5a:
1a:b7:b5:cb:a8:80:ff:cf:4d:a8:c1:05:b6:15:49:8d:
22:74:29:56:95:56:e5:1d:4f:31:44:da:77:3c:a7:46:
a3:e2:d5:ee:18:51:0c:9c:51:52:49:ff:d1:ba:4f:cd:
33:42:0d:8e:e9:c8:da:a0:ff:10:02:0d:dd:e4:fa:49:
21:98:e9:28:c7:c5:25:ac:7b:90:91:99:fb:99:36:63:
dc:50:98:fa:fd:32:37:c2:08:9c:43:fc:59:d6:27:5f
wolfTPM2_HashStart: Handle 0x80000002
wolfTPM2_HashUpdate: Handle 0x80000002, DataSz 764
wolfTPM2_HashFinish: Handle 0x80000002, DigestSz 48
Cert Hash: 48
54:70:93:7f:05:79:3b:b8:fb:2f:2f:e0:eb:96:ec:95:
6e:bd:25:49:45:69:38:6b:67:48:09:cd:47:17:cc:c6:
8d:c9:6a:5a:01:16:ba:9f:75:96:0c:be:dc:40:0c:ee
Issuer Public Exponent 0x10001, Modulus 512
c5:5e:b9:a1:35:8b:76:d6:df:ed:93:a5:66:9d:11:93:
fd:46:42:fd:48:f7:33:6a:96:e3:64:6c:2a:74:ba:52:
9e:71:48:c6:ca:42:e1:06:a0:c7:bc:c4:0d:6e:48:ed:
1c:5f:dc:aa:44:c1:f4:5c:b3:ac:22:85:ad:5f:b0:b0:
d9:f4:8e:51:3e:05:70:41:ac:cf:5c:f8:0f:29:aa:94:
5b:24:a3:bf:39:33:e9:1a:bb:51:de:22:b2:52:a6:8b:
27:c1:aa:92:e1:38:80:40:ae:f9:04:d0:cc:d5:3b:72:
7f:d5:69:bc:9b:80:55:ff:c2:4a:87:3e:b5:74:55:c7:
83:04:9e:d9:ec:ee:fb:c7:21:d6:51:b4:c8:a4:6f:03:
57:3d:8c:ae:fc:df:d9:6c:a4:80:4e:83:2d:96:40:6f:
e2:bf:45:a5:0a:32:c1:d6:de:69:35:53:24:37:e4:7a:
8c:2f:96:b6:8a:8c:74:14:eb:5a:05:4a:fe:23:03:d9:
ce:af:9e:c4:2e:23:b4:e2:ff:e4:76:1b:ce:4d:6b:54:
af:bf:fc:c2:4e:24:6f:24:e6:bc:34:61:cb:15:0a:ce:
8b:5b:22:0a:fd:3f:26:93:63:b4:a5:b3:43:6a:1a:20:
14:47:d2:d9:fd:65:59:ae:13:0d:61:3c:38:bb:2e:59:
0b:f0:49:92:12:db:9d:73:09:42:54:15:0c:97:d7:14:
a4:bb:3a:5e:e8:7f:d9:dc:76:3d:ca:36:77:52:12:58:
e9:d1:ff:06:e6:da:05:6a:9c:7f:a6:05:4b:2e:48:62:
26:b0:2d:5c:a6:7d:c9:49:18:cb:76:24:4d:7a:62:04:
b4:b4:ee:48:24:c0:11:ba:78:f0:ca:f0:f2:97:84:15:
0a:99:de:0a:56:13:30:a6:f5:76:c6:c8:95:4a:44:94:
b1:fe:78:1e:55:7e:fc:4c:2e:4f:3c:7a:f3:4d:69:ae:
95:60:51:a0:4e:0c:eb:e3:62:4a:0c:a7:67:10:a7:ab:
e7:44:e6:d4:96:32:a0:c8:09:45:20:2f:cc:04:10:c1:
53:31:5f:e7:fb:e0:36:c8:1d:08:b4:d1:a2:01:a1:7f:
6c:94:a7:81:e9:c1:c7:19:0d:30:bc:4f:a5:ad:d5:ec:
dd:9c:68:58:6c:49:b9:fa:e6:92:9b:30:6a:90:84:a3:
eb:90:6c:fe:8e:d6:21:df:45:23:78:1e:be:0c:c1:b9:
05:bd:a3:0e:ef:b6:96:95:75:92:d0:a5:05:b7:88:9e:
46:fd:54:a2:f1:98:9c:b5:01:ac:5c:51:b8:b7:05:25:
52:f6:12:a1:e1:f4:bf:b2:4e:3e:27:b7:71:9f:d4:e1
TPM2_LoadExternal: 0x80000002
EK Certificate Signature: 512
b5:7a:68:4d:aa:d5:3a:bf:a2:6a:6f:1d:1a:5e:35:74:
47:f4:b7:ee:a0:63:8e:08:42:8c:a3:80:3a:91:8e:92:
1a:22:73:c8:a6:07:61:42:63:5f:4e:c7:17:dc:5e:c2:
51:73:13:51:0f:57:17:01:63:9e:da:b5:4a:fd:92:6d:
0a:33:8b:e4:dc:5f:63:96:7b:89:d3:3a:99:29:ac:f0:
7c:0a:99:ea:9c:40:33:86:4b:55:30:03:24:41:05:f6:
48:43:5f:b9:39:b4:74:17:2c:71:bf:26:f4:a3:7a:9f:
ae:80:0c:8b:92:c8:22:35:0f:f8:64:da:50:b1:2f:5f:
e2:a4:19:32:a6:7e:74:bb:31:74:93:10:85:a2:5f:10:
9f:1d:0c:57:90:d2:56:e4:70:7f:54:99:87:c0:bd:d7:
8f:c4:31:eb:9d:bc:cd:ca:35:b2:64:d0:ee:6b:c8:e1:
1b:34:bc:09:3f:cd:d1:f1:53:c2:18:dd:82:85:2e:6c:
44:9b:21:df:eb:7b:5b:8f:07:f5:61:34:25:e5:97:ee:
bd:01:2e:1c:35:53:00:b0:be:92:96:80:50:9b:6e:e0:
f3:e3:1d:0c:0a:99:96:cd:42:64:e4:43:6a:4a:de:c2:
03:19:a2:a7:b6:fa:7d:25:37:04:53:30:3a:69:b2:38:
6c:c9:e9:e3:59:a4:8b:1e:ae:62:5d:eb:3c:85:e3:2f:
f1:cb:7b:3c:0d:2d:bf:6e:f0:9c:7c:c9:c8:84:35:26:
21:82:2a:83:f7:54:80:51:73:34:c2:7b:2b:5d:32:b7:
26:a6:8c:b2:46:d6:c2:63:5c:38:0c:0b:5e:ba:81:ee:
0b:55:c6:e7:ab:48:8d:6a:e4:c7:ec:45:0d:46:b9:2e:
8e:a9:be:e1:26:b4:79:b5:56:4c:2a:dd:93:22:01:d5:
2c:ca:bd:c0:6a:30:ff:53:8c:08:98:22:33:3c:78:a1:
59:25:43:cc:db:e1:26:cc:55:7f:bb:4b:fe:9f:3f:d9:
92:44:6d:72:a4:74:75:e4:f6:40:bf:3d:a4:b5:fb:78:
39:2a:9d:5e:91:ba:e4:67:50:5a:99:6e:5a:53:56:4e:
ca:aa:a3:b3:55:28:f1:68:b5:c1:dc:3b:78:20:5b:86:
8e:54:84:8b:6e:3c:fd:5a:fb:a4:4a:46:ba:2e:d0:47:
c7:43:b9:65:8f:b5:01:c6:c3:17:ce:34:3b:51:d5:ea:
c4:0a:c2:cf:02:94:d6:1f:93:4c:43:79:a9:44:fa:f7:
62:82:50:d5:2b:73:56:06:c1:16:b5:41:36:17:8b:e4:
8c:4a:25:fb:e4:c9:dc:2e:d3:f5:bc:c9:c2:6d:c6:7d
TPM2_RSA_Encrypt: 512
Decrypted Sig: 512
00:01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:30:41:30:
0d:06:09:60:86:48:01:65:03:04:02:02:05:00:04:30:
54:70:93:7f:05:79:3b:b8:fb:2f:2f:e0:eb:96:ec:95:
6e:bd:25:49:45:69:38:6b:67:48:09:cd:47:17:cc:c6:
8d:c9:6a:5a:01:16:ba:9f:75:96:0c:be:dc:40:0c:ee
Expected Hash: 48
54:70:93:7f:05:79:3b:b8:fb:2f:2f:e0:eb:96:ec:95:
6e:bd:25:49:45:69:38:6b:67:48:09:cd:47:17:cc:c6:
8d:c9:6a:5a:01:16:ba:9f:75:96:0c:be:dc:40:0c:ee
Sig Hash: 48
54:70:93:7f:05:79:3b:b8:fb:2f:2f:e0:eb:96:ec:95:
6e:bd:25:49:45:69:38:6b:67:48:09:cd:47:17:cc:c6:
8d:c9:6a:5a:01:16:ba:9f:75:96:0c:be:dc:40:0c:ee
Certificate signature is valid
TPM2_FlushContext: Closed handle 0x80000002
TPM2_FlushContext: Closed handle 0x80000000
```

1
examples/endorsement/endorsement.h
View File

@ -27,6 +27,7 @@
#endif
int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[]);
int TPM2_EndorsementCertVerify_Example(void* userCtx, int argc, char *argv[]);
#ifdef __cplusplus
} /* extern "C" */

12
examples/endorsement/get_ek_certs.c
View File

@ -19,8 +19,8 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* This example shows how to decrypt a credential for Remote Attestation
* and extract the secret for challenge response to an attestation server
/* This example will list each of the Endorsement Key certificates and attempt
* to validate based on trusted peers in trusted_certs.h.
*/
#ifdef HAVE_CONFIG_H
@ -385,6 +385,9 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
printf("Endorsement Cert PEM\n");
puts(pem);
}
XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
pem = NULL;
#endif /* WOLFSSL_DER_TO_PEM */
}
#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_ASN */
@ -395,6 +398,11 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
exit:
if (rc != 0) {
printf("Error getting EK certificates! %s (%d)\n",
TPM2_GetRCString(rc), rc);
}
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
#ifdef WOLFSSL_DER_TO_PEM
XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);

15
examples/endorsement/include.am
View File

@ -4,17 +4,26 @@
if BUILD_EXAMPLES
noinst_HEADERS += \
examples/endorsement/endorsement.h \
examples/endorsement/trusted_certs.h
examples/endorsement/trusted_certs.h \
examples/endorsement/trusted_certs_der.h
noinst_PROGRAMS += examples/endorsement/get_ek_certs
examples_endorsement_get_ek_certs_SOURCES = examples/endorsement/get_ek_certs.c
examples_endorsement_get_ek_certs_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
examples_endorsement_get_ek_certs_DEPENDENCIES = src/libwolftpm.la
noinst_PROGRAMS += examples/endorsement/verify_ek_cert
examples_endorsement_verify_ek_cert_SOURCES = examples/endorsement/verify_ek_cert.c
examples_endorsement_verify_ek_cert_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD)
examples_endorsement_verify_ek_cert_DEPENDENCIES = src/libwolftpm.la
endif
EXTRA_DIST+=examples/endorsement/README.md
example_endorsementdir = $(exampledir)/endorsement
dist_example_endorsement_DATA = \
examples/endorsement/get_ek_certs.c
examples/endorsement/get_ek_certs.c \
examples/endorsement/verify_ek_cert.c
DISTCLEANFILES+= examples/endorsement/.libs/get_ek_certs
DISTCLEANFILES+= \
examples/endorsement/.libs/get_ek_certs \
examples/endorsement/.libs/verify_ek_cert

42
examples/endorsement/trusted_certs.h
View File

@ -520,6 +520,48 @@ static const char* trusted_certs[] = {
"uKErQfPEhjYLdzF8/OYW7w==\n"
"-----END CERTIFICATE-----\n",
/* Subject: CN=STSAFE TPM RSA Intermediate CA 20
* Issuer: CN=STSAFE RSA Root CA 02
* RSA 4096-bit, SHA2-384
* Validity: Jan 1 00:00:00 2043 GMT */
"-----BEGIN CERTIFICATE-----\n"
"MIIGbDCCBFSgAwIBAgIEQAAAIDANBgkqhkiG9w0BAQwFADBNMQswCQYDVQQGEwJD\n"
"SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR4wHAYDVQQDExVTVFNB\n"
"RkUgUlNBIFJvb3QgQ0EgMDIwHhcNMjIwMTIwMDAwMDAwWhcNNDMwMTAxMDAwMDAw\n"
"WjBZMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5W\n"
"MSowKAYDVQQDEyFTVFNBRkUgVFBNIFJTQSBJbnRlcm1lZGlhdGUgQ0EgMjAwggIi\n"
"MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFXrmhNYt21t/tk6VmnRGT/UZC\n"
"/Uj3M2qW42RsKnS6Up5xSMbKQuEGoMe8xA1uSO0cX9yqRMH0XLOsIoWtX7Cw2fSO\n"
"UT4FcEGsz1z4DymqlFsko785M+kau1HeIrJSposnwaqS4TiAQK75BNDM1Ttyf9Vp\n"
"vJuAVf/CSoc+tXRVx4MEntns7vvHIdZRtMikbwNXPYyu/N/ZbKSAToMtlkBv4r9F\n"
"pQoywdbeaTVTJDfkeowvlraKjHQU61oFSv4jA9nOr57ELiO04v/kdhvOTWtUr7/8\n"
"wk4kbyTmvDRhyxUKzotbIgr9PyaTY7Sls0NqGiAUR9LZ/WVZrhMNYTw4uy5ZC/BJ\n"
"khLbnXMJQlQVDJfXFKS7Ol7of9ncdj3KNndSEljp0f8G5toFapx/pgVLLkhiJrAt\n"
"XKZ9yUkYy3YkTXpiBLS07kgkwBG6ePDK8PKXhBUKmd4KVhMwpvV2xsiVSkSUsf54\n"
"HlV+/EwuTzx6801prpVgUaBODOvjYkoMp2cQp6vnRObUljKgyAlFIC/MBBDBUzFf\n"
"5/vgNsgdCLTRogGhf2yUp4HpwccZDTC8T6Wt1ezdnGhYbEm5+uaSmzBqkISj65Bs\n"
"/o7WId9FI3gevgzBuQW9ow7vtpaVdZLQpQW3iJ5G/VSi8ZictQGsXFG4twUlUvYS\n"
"oeH0v7JOPie3cZ/U4QIDAQABo4IBRjCCAUIwHQYDVR0OBBYEFI/gePjKiFn+/j96\n"
"mDcs/ALGCERJMB8GA1UdIwQYMBaAFHzCjb5uWdhKVANGmxMIANL48G0nMEMGA1Ud\n"
"IAEB/wQ5MDcwNQYEVR0gADAtMCsGCCsGAQUFBwIBFh9odHRwOi8vc3ctY2VudGVy\n"
"LnN0LmNvbS9TVFNBRkUvMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\n"
"AgEAMFAGCCsGAQUFBwEBBEQwQjBABggrBgEFBQcwAoY0aHR0cDovL3N3LWNlbnRl\n"
"ci5zdC5jb20vU1RTQUZFL1NUU0FGRVJzYVJvb3RDQTAyLmNydDBFBgNVHR8EPjA8\n"
"MDqgOKA2hjRodHRwOi8vc3ctY2VudGVyLnN0LmNvbS9TVFNBRkUvU1RTQUZFUnNh\n"
"Um9vdENBMDIuY3JsMA0GCSqGSIb3DQEBDAUAA4ICAQAdjgY6q/7v+/kedUQfP61Y\n"
"W5+Ixl4etRxs2WLDZVyNh7ievMJf4iTvsjKuycYoGkcq5yrX0vp9PjLpd+KEH0e/\n"
"T3j5GyQAsow63GzCS+KKTcoVlP6hbBg2A2nx+4WNzWo0xhv90oYfagqJuGivF7Ly\n"
"TCk9E91XRXpBQrfNwIdkN3zSdtsjX20RDYx80O+jIDBb4ycWJIQS1g/sbh8rQk5k\n"
"xX/2CbmKPKc+y3IdqxOM3FbZ5KkLbgxTo2uJxE2IpUkSh3FXFbnjtbYuCEFcZTNU\n"
"acJRKw5HSIwL2YeH6M9ok9bWT3rg7OdHiBAb1aZbxxlKSQ2HtIu4R7Z3Bji1KKVH\n"
"pOFMtXREWqcwRNUlNDXdISMl1siScGG8RqChCGyq5YnjyJQ5TVOm5yJk2qZnil5p\n"
"p2y/Gu1wxUDlyNtPY2RafHE8jmK7g7CWhJTTaNR4gUnD1icSx/X9gCRON1s9KP5X\n"
"1585SsH9gZFdwxpST7iFPt3P1XxPEDZtxafI+1Zb9cEXgWvrHHvM71PAwAfVtEjy\n"
"97M7UtBGOiYTO7LQMwMDEJZWftFj37joXuLDv/rxIR+nlCBjZGOsCRmox+N5cxhS\n"
"5iEHZK4dhlx/DEJ/vTLCiv8i749LJk+KpJDU3EuW5FOrCn52+Jz1q9FKPFTvUKrq\n"
"Oc+M31vSmqTgg6QftWF1iQ==\n"
"-----END CERTIFICATE-----\n",
/* Subject: CN=STM TPM EK Root CA
* Algorithms: RSA 2048-bit, SHA2-256
* Validity: Dec 31 23:59:59 2039 GMT */

137
examples/endorsement/trusted_certs_der.h 100644
View File

@ -0,0 +1,137 @@
#ifndef WOLFTPM_TRUSTED_CERTS_DER_H
#define WOLFTPM_TRUSTED_CERTS_DER_H
/* ST33KTPM2X: C=CH, O=STMicroelectronics NV, CN=STSAFE TPM RSA Intermediate CA 20 */
/* http://sw-center.st.com/STSAFE/stsafetpmrsaint20.crt */
static const uint8_t kSTSAFEIntCa20[] = {
0x30, 0x82, 0x06, 0x6C, 0x30, 0x82, 0x04, 0x54, 0xA0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x04, 0x40, 0x00, 0x00, 0x20, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C, 0x05, 0x00, 0x30, 0x4D, 0x31, 0x0B, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x31, 0x1E, 0x30,
0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x53, 0x54, 0x4D, 0x69, 0x63,
0x72, 0x6F, 0x65, 0x6C, 0x65, 0x63, 0x74, 0x72, 0x6F, 0x6E, 0x69, 0x63, 0x73,
0x20, 0x4E, 0x56, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x15, 0x53, 0x54, 0x53, 0x41, 0x46, 0x45, 0x20, 0x52, 0x53, 0x41, 0x20, 0x52,
0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20, 0x30, 0x32, 0x30, 0x1E, 0x17, 0x0D,
0x32, 0x32, 0x30, 0x31, 0x32, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A,
0x17, 0x0D, 0x34, 0x33, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30,
0x30, 0x5A, 0x30, 0x59, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x43, 0x48, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A,
0x13, 0x15, 0x53, 0x54, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x65, 0x6C, 0x65, 0x63,
0x74, 0x72, 0x6F, 0x6E, 0x69, 0x63, 0x73, 0x20, 0x4E, 0x56, 0x31, 0x2A, 0x30,
0x28, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x53, 0x54, 0x53, 0x41, 0x46,
0x45, 0x20, 0x54, 0x50, 0x4D, 0x20, 0x52, 0x53, 0x41, 0x20, 0x49, 0x6E, 0x74,
0x65, 0x72, 0x6D, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x20, 0x43, 0x41, 0x20,
0x32, 0x30, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0F, 0x00,
0x30, 0x82, 0x02, 0x0A, 0x02, 0x82, 0x02, 0x01, 0x00, 0xC5, 0x5E, 0xB9, 0xA1,
0x35, 0x8B, 0x76, 0xD6, 0xDF, 0xED, 0x93, 0xA5, 0x66, 0x9D, 0x11, 0x93, 0xFD,
0x46, 0x42, 0xFD, 0x48, 0xF7, 0x33, 0x6A, 0x96, 0xE3, 0x64, 0x6C, 0x2A, 0x74,
0xBA, 0x52, 0x9E, 0x71, 0x48, 0xC6, 0xCA, 0x42, 0xE1, 0x06, 0xA0, 0xC7, 0xBC,
0xC4, 0x0D, 0x6E, 0x48, 0xED, 0x1C, 0x5F, 0xDC, 0xAA, 0x44, 0xC1, 0xF4, 0x5C,
0xB3, 0xAC, 0x22, 0x85, 0xAD, 0x5F, 0xB0, 0xB0, 0xD9, 0xF4, 0x8E, 0x51, 0x3E,
0x05, 0x70, 0x41, 0xAC, 0xCF, 0x5C, 0xF8, 0x0F, 0x29, 0xAA, 0x94, 0x5B, 0x24,
0xA3, 0xBF, 0x39, 0x33, 0xE9, 0x1A, 0xBB, 0x51, 0xDE, 0x22, 0xB2, 0x52, 0xA6,
0x8B, 0x27, 0xC1, 0xAA, 0x92, 0xE1, 0x38, 0x80, 0x40, 0xAE, 0xF9, 0x04, 0xD0,
0xCC, 0xD5, 0x3B, 0x72, 0x7F, 0xD5, 0x69, 0xBC, 0x9B, 0x80, 0x55, 0xFF, 0xC2,
0x4A, 0x87, 0x3E, 0xB5, 0x74, 0x55, 0xC7, 0x83, 0x04, 0x9E, 0xD9, 0xEC, 0xEE,
0xFB, 0xC7, 0x21, 0xD6, 0x51, 0xB4, 0xC8, 0xA4, 0x6F, 0x03, 0x57, 0x3D, 0x8C,
0xAE, 0xFC, 0xDF, 0xD9, 0x6C, 0xA4, 0x80, 0x4E, 0x83, 0x2D, 0x96, 0x40, 0x6F,
0xE2, 0xBF, 0x45, 0xA5, 0x0A, 0x32, 0xC1, 0xD6, 0xDE, 0x69, 0x35, 0x53, 0x24,
0x37, 0xE4, 0x7A, 0x8C, 0x2F, 0x96, 0xB6, 0x8A, 0x8C, 0x74, 0x14, 0xEB, 0x5A,
0x05, 0x4A, 0xFE, 0x23, 0x03, 0xD9, 0xCE, 0xAF, 0x9E, 0xC4, 0x2E, 0x23, 0xB4,
0xE2, 0xFF, 0xE4, 0x76, 0x1B, 0xCE, 0x4D, 0x6B, 0x54, 0xAF, 0xBF, 0xFC, 0xC2,
0x4E, 0x24, 0x6F, 0x24, 0xE6, 0xBC, 0x34, 0x61, 0xCB, 0x15, 0x0A, 0xCE, 0x8B,
0x5B, 0x22, 0x0A, 0xFD, 0x3F, 0x26, 0x93, 0x63, 0xB4, 0xA5, 0xB3, 0x43, 0x6A,
0x1A, 0x20, 0x14, 0x47, 0xD2, 0xD9, 0xFD, 0x65, 0x59, 0xAE, 0x13, 0x0D, 0x61,
0x3C, 0x38, 0xBB, 0x2E, 0x59, 0x0B, 0xF0, 0x49, 0x92, 0x12, 0xDB, 0x9D, 0x73,
0x09, 0x42, 0x54, 0x15, 0x0C, 0x97, 0xD7, 0x14, 0xA4, 0xBB, 0x3A, 0x5E, 0xE8,
0x7F, 0xD9, 0xDC, 0x76, 0x3D, 0xCA, 0x36, 0x77, 0x52, 0x12, 0x58, 0xE9, 0xD1,
0xFF, 0x06, 0xE6, 0xDA, 0x05, 0x6A, 0x9C, 0x7F, 0xA6, 0x05, 0x4B, 0x2E, 0x48,
0x62, 0x26, 0xB0, 0x2D, 0x5C, 0xA6, 0x7D, 0xC9, 0x49, 0x18, 0xCB, 0x76, 0x24,
0x4D, 0x7A, 0x62, 0x04, 0xB4, 0xB4, 0xEE, 0x48, 0x24, 0xC0, 0x11, 0xBA, 0x78,
0xF0, 0xCA, 0xF0, 0xF2, 0x97, 0x84, 0x15, 0x0A, 0x99, 0xDE, 0x0A, 0x56, 0x13,
0x30, 0xA6, 0xF5, 0x76, 0xC6, 0xC8, 0x95, 0x4A, 0x44, 0x94, 0xB1, 0xFE, 0x78,
0x1E, 0x55, 0x7E, 0xFC, 0x4C, 0x2E, 0x4F, 0x3C, 0x7A, 0xF3, 0x4D, 0x69, 0xAE,
0x95, 0x60, 0x51, 0xA0, 0x4E, 0x0C, 0xEB, 0xE3, 0x62, 0x4A, 0x0C, 0xA7, 0x67,
0x10, 0xA7, 0xAB, 0xE7, 0x44, 0xE6, 0xD4, 0x96, 0x32, 0xA0, 0xC8, 0x09, 0x45,
0x20, 0x2F, 0xCC, 0x04, 0x10, 0xC1, 0x53, 0x31, 0x5F, 0xE7, 0xFB, 0xE0, 0x36,
0xC8, 0x1D, 0x08, 0xB4, 0xD1, 0xA2, 0x01, 0xA1, 0x7F, 0x6C, 0x94, 0xA7, 0x81,
0xE9, 0xC1, 0xC7, 0x19, 0x0D, 0x30, 0xBC, 0x4F, 0xA5, 0xAD, 0xD5, 0xEC, 0xDD,
0x9C, 0x68, 0x58, 0x6C, 0x49, 0xB9, 0xFA, 0xE6, 0x92, 0x9B, 0x30, 0x6A, 0x90,
0x84, 0xA3, 0xEB, 0x90, 0x6C, 0xFE, 0x8E, 0xD6, 0x21, 0xDF, 0x45, 0x23, 0x78,
0x1E, 0xBE, 0x0C, 0xC1, 0xB9, 0x05, 0xBD, 0xA3, 0x0E, 0xEF, 0xB6, 0x96, 0x95,
0x75, 0x92, 0xD0, 0xA5, 0x05, 0xB7, 0x88, 0x9E, 0x46, 0xFD, 0x54, 0xA2, 0xF1,
0x98, 0x9C, 0xB5, 0x01, 0xAC, 0x5C, 0x51, 0xB8, 0xB7, 0x05, 0x25, 0x52, 0xF6,
0x12, 0xA1, 0xE1, 0xF4, 0xBF, 0xB2, 0x4E, 0x3E, 0x27, 0xB7, 0x71, 0x9F, 0xD4,
0xE1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x46, 0x30, 0x82, 0x01,
0x42, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x8F,
0xE0, 0x78, 0xF8, 0xCA, 0x88, 0x59, 0xFE, 0xFE, 0x3F, 0x7A, 0x98, 0x37, 0x2C,
0xFC, 0x02, 0xC6, 0x08, 0x44, 0x49, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23,
0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x7C, 0xC2, 0x8D, 0xBE, 0x6E, 0x59, 0xD8,
0x4A, 0x54, 0x03, 0x46, 0x9B, 0x13, 0x08, 0x00, 0xD2, 0xF8, 0xF0, 0x6D, 0x27,
0x30, 0x43, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x01, 0x01, 0xFF, 0x04, 0x39, 0x30,
0x37, 0x30, 0x35, 0x06, 0x04, 0x55, 0x1D, 0x20, 0x00, 0x30, 0x2D, 0x30, 0x2B,
0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1F, 0x68,
0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x73, 0x77, 0x2D, 0x63, 0x65, 0x6E, 0x74,
0x65, 0x72, 0x2E, 0x73, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x53, 0x54, 0x53,
0x41, 0x46, 0x45, 0x2F, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01,
0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1D,
0x13, 0x01, 0x01, 0xFF, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01,
0x00, 0x30, 0x50, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
0x04, 0x44, 0x30, 0x42, 0x30, 0x40, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x02, 0x86, 0x34, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x73,
0x77, 0x2D, 0x63, 0x65, 0x6E, 0x74, 0x65, 0x72, 0x2E, 0x73, 0x74, 0x2E, 0x63,
0x6F, 0x6D, 0x2F, 0x53, 0x54, 0x53, 0x41, 0x46, 0x45, 0x2F, 0x53, 0x54, 0x53,
0x41, 0x46, 0x45, 0x52, 0x73, 0x61, 0x52, 0x6F, 0x6F, 0x74, 0x43, 0x41, 0x30,
0x32, 0x2E, 0x63, 0x72, 0x74, 0x30, 0x45, 0x06, 0x03, 0x55, 0x1D, 0x1F, 0x04,
0x3E, 0x30, 0x3C, 0x30, 0x3A, 0xA0, 0x38, 0xA0, 0x36, 0x86, 0x34, 0x68, 0x74,
0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x73, 0x77, 0x2D, 0x63, 0x65, 0x6E, 0x74, 0x65,
0x72, 0x2E, 0x73, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x53, 0x54, 0x53, 0x41,
0x46, 0x45, 0x2F, 0x53, 0x54, 0x53, 0x41, 0x46, 0x45, 0x52, 0x73, 0x61, 0x52,
0x6F, 0x6F, 0x74, 0x43, 0x41, 0x30, 0x32, 0x2E, 0x63, 0x72, 0x6C, 0x30, 0x0D,
0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C, 0x05, 0x00,
0x03, 0x82, 0x02, 0x01, 0x00, 0x1D, 0x8E, 0x06, 0x3A, 0xAB, 0xFE, 0xEF, 0xFB,
0xF9, 0x1E, 0x75, 0x44, 0x1F, 0x3F, 0xAD, 0x58, 0x5B, 0x9F, 0x88, 0xC6, 0x5E,
0x1E, 0xB5, 0x1C, 0x6C, 0xD9, 0x62, 0xC3, 0x65, 0x5C, 0x8D, 0x87, 0xB8, 0x9E,
0xBC, 0xC2, 0x5F, 0xE2, 0x24, 0xEF, 0xB2, 0x32, 0xAE, 0xC9, 0xC6, 0x28, 0x1A,
0x47, 0x2A, 0xE7, 0x2A, 0xD7, 0xD2, 0xFA, 0x7D, 0x3E, 0x32, 0xE9, 0x77, 0xE2,
0x84, 0x1F, 0x47, 0xBF, 0x4F, 0x78, 0xF9, 0x1B, 0x24, 0x00, 0xB2, 0x8C, 0x3A,
0xDC, 0x6C, 0xC2, 0x4B, 0xE2, 0x8A, 0x4D, 0xCA, 0x15, 0x94, 0xFE, 0xA1, 0x6C,
0x18, 0x36, 0x03, 0x69, 0xF1, 0xFB, 0x85, 0x8D, 0xCD, 0x6A, 0x34, 0xC6, 0x1B,
0xFD, 0xD2, 0x86, 0x1F, 0x6A, 0x0A, 0x89, 0xB8, 0x68, 0xAF, 0x17, 0xB2, 0xF2,
0x4C, 0x29, 0x3D, 0x13, 0xDD, 0x57, 0x45, 0x7A, 0x41, 0x42, 0xB7, 0xCD, 0xC0,
0x87, 0x64, 0x37, 0x7C, 0xD2, 0x76, 0xDB, 0x23, 0x5F, 0x6D, 0x11, 0x0D, 0x8C,
0x7C, 0xD0, 0xEF, 0xA3, 0x20, 0x30, 0x5B, 0xE3, 0x27, 0x16, 0x24, 0x84, 0x12,
0xD6, 0x0F, 0xEC, 0x6E, 0x1F, 0x2B, 0x42, 0x4E, 0x64, 0xC5, 0x7F, 0xF6, 0x09,
0xB9, 0x8A, 0x3C, 0xA7, 0x3E, 0xCB, 0x72, 0x1D, 0xAB, 0x13, 0x8C, 0xDC, 0x56,
0xD9, 0xE4, 0xA9, 0x0B, 0x6E, 0x0C, 0x53, 0xA3, 0x6B, 0x89, 0xC4, 0x4D, 0x88,
0xA5, 0x49, 0x12, 0x87, 0x71, 0x57, 0x15, 0xB9, 0xE3, 0xB5, 0xB6, 0x2E, 0x08,
0x41, 0x5C, 0x65, 0x33, 0x54, 0x69, 0xC2, 0x51, 0x2B, 0x0E, 0x47, 0x48, 0x8C,
0x0B, 0xD9, 0x87, 0x87, 0xE8, 0xCF, 0x68, 0x93, 0xD6, 0xD6, 0x4F, 0x7A, 0xE0,
0xEC, 0xE7, 0x47, 0x88, 0x10, 0x1B, 0xD5, 0xA6, 0x5B, 0xC7, 0x19, 0x4A, 0x49,
0x0D, 0x87, 0xB4, 0x8B, 0xB8, 0x47, 0xB6, 0x77, 0x06, 0x38, 0xB5, 0x28, 0xA5,
0x47, 0xA4, 0xE1, 0x4C, 0xB5, 0x74, 0x44, 0x5A, 0xA7, 0x30, 0x44, 0xD5, 0x25,
0x34, 0x35, 0xDD, 0x21, 0x23, 0x25, 0xD6, 0xC8, 0x92, 0x70, 0x61, 0xBC, 0x46,
0xA0, 0xA1, 0x08, 0x6C, 0xAA, 0xE5, 0x89, 0xE3, 0xC8, 0x94, 0x39, 0x4D, 0x53,
0xA6, 0xE7, 0x22, 0x64, 0xDA, 0xA6, 0x67, 0x8A, 0x5E, 0x69, 0xA7, 0x6C, 0xBF,
0x1A, 0xED, 0x70, 0xC5, 0x40, 0xE5, 0xC8, 0xDB, 0x4F, 0x63, 0x64, 0x5A, 0x7C,
0x71, 0x3C, 0x8E, 0x62, 0xBB, 0x83, 0xB0, 0x96, 0x84, 0x94, 0xD3, 0x68, 0xD4,
0x78, 0x81, 0x49, 0xC3, 0xD6, 0x27, 0x12, 0xC7, 0xF5, 0xFD, 0x80, 0x24, 0x4E,
0x37, 0x5B, 0x3D, 0x28, 0xFE, 0x57, 0xD7, 0x9F, 0x39, 0x4A, 0xC1, 0xFD, 0x81,
0x91, 0x5D, 0xC3, 0x1A, 0x52, 0x4F, 0xB8, 0x85, 0x3E, 0xDD, 0xCF, 0xD5, 0x7C,
0x4F, 0x10, 0x36, 0x6D, 0xC5, 0xA7, 0xC8, 0xFB, 0x56, 0x5B, 0xF5, 0xC1, 0x17,
0x81, 0x6B, 0xEB, 0x1C, 0x7B, 0xCC, 0xEF, 0x53, 0xC0, 0xC0, 0x07, 0xD5, 0xB4,
0x48, 0xF2, 0xF7, 0xB3, 0x3B, 0x52, 0xD0, 0x46, 0x3A, 0x26, 0x13, 0x3B, 0xB2,
0xD0, 0x33, 0x03, 0x03, 0x10, 0x96, 0x56, 0x7E, 0xD1, 0x63, 0xDF, 0xB8, 0xE8,
0x5E, 0xE2, 0xC3, 0xBF, 0xFA, 0xF1, 0x21, 0x1F, 0xA7, 0x94, 0x20, 0x63, 0x64,
0x63, 0xAC, 0x09, 0x19, 0xA8, 0xC7, 0xE3, 0x79, 0x73, 0x18, 0x52, 0xE6, 0x21,
0x07, 0x64, 0xAE, 0x1D, 0x86, 0x5C, 0x7F, 0x0C, 0x42, 0x7F, 0xBD, 0x32, 0xC2,
0x8A, 0xFF, 0x22, 0xEF, 0x8F, 0x4B, 0x26, 0x4F, 0x8A, 0xA4, 0x90, 0xD4, 0xDC,
0x4B, 0x96, 0xE4, 0x53, 0xAB, 0x0A, 0x7E, 0x76, 0xF8, 0x9C, 0xF5, 0xAB, 0xD1,
0x4A, 0x3C, 0x54, 0xEF, 0x50, 0xAA, 0xEA, 0x39, 0xCF, 0x8C, 0xDF, 0x5B, 0xD2,
0x9A, 0xA4, 0xE0, 0x83, 0xA4, 0x1F, 0xB5, 0x61, 0x75, 0x89
};
#endif /* WOLFTPM_TRUSTED_CERTS_DER_H */

646
examples/endorsement/verify_ek_cert.c 100644
View File

@ -0,0 +1,646 @@
/* verify_ek_cert.c
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfTPM.
*
* wolfTPM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfTPM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* This example shows how to generate and validate an EK based on a
* trusted public key. This example is supported in stand-alone (no wolfCrypt)
* This example assumes ST33KTPM2X with signer
* "STSAFE TPM RSA Intermediate CA 20" : RSA 4096-bit key with SHA2-384
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <wolftpm/tpm2_wrap.h>
#include <stdio.h>
#ifndef WOLFTPM2_NO_WRAPPER
#include <examples/endorsement/endorsement.h>
#include <hal/tpm_io.h>
#include "trusted_certs_der.h"
#ifndef WOLFTPM2_NO_WOLFCRYPT
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/rsa.h>
#endif
#ifndef MAX_CERT_SZ
#define MAX_CERT_SZ 2048
#endif
#ifdef WOLFTPM2_NO_WOLFCRYPT
#define ASN_SEQUENCE 0x10
#define ASN_CONSTRUCTED 0x20
#define ASN_CONTEXT_SPECIFIC 0x80
#define ASN_LONG_LENGTH 0x80 /* indicates additional length fields */
#define ASN_INTEGER 0x02
#define ASN_BIT_STRING 0x03
#define ASN_OCTET_STRING 0x04
#define ASN_TAG_NULL 0x05
#define ASN_OBJECT_ID 0x06
#endif
#if defined(WOLFTPM2_NO_WOLFCRYPT) || defined(NO_RSA)
#define RSA_BLOCK_TYPE_1 1
#define RSA_BLOCK_TYPE_2 2
#endif
typedef struct DecodedX509 {
word32 certBegin;
byte* cert; /* pointer to start of cert */
word32 certSz;
byte* publicKey; /* pointer to public key */
word32 pubKeySz;
byte* signature; /* pointer to signature */
word32 sigSz; /* length of signature */
} DecodedX509;
static void usage(void)
{
printf("Expected usage:\n");
printf("./examples/endorsement/verify_ek_cert\n");
}
static void dump_hex_bytes(const byte* buf, word32 sz)
{
word32 i;
/* Print as : separated hex bytes - max 15 bytes per line */
printf("\t");
for (i=0; i<sz; i++) {
printf("%02x", buf[i]);
if (i+1 < sz) {
printf(":");
if (i>0 && ((i+1)%16)==0) printf("\n\t");
}
}
printf("\n");
}
/* Display EK public information */
static void show_tpm_public(const char* desc, const TPM2B_PUBLIC* pub)
{
printf("%s %s, Hash: %s, objAttr: 0x%X\n",
desc,
TPM2_GetAlgName(pub->publicArea.type),
TPM2_GetAlgName(pub->publicArea.nameAlg),
(unsigned int)pub->publicArea.objectAttributes);
/* parameters and unique field depend on algType */
if (pub->publicArea.type == TPM_ALG_RSA) {
printf("\tKeyBits: %d, exponent: 0x%X, unique size %d\n",
pub->publicArea.parameters.rsaDetail.keyBits,
(unsigned int)pub->publicArea.parameters.rsaDetail.exponent,
pub->publicArea.unique.rsa.size);
dump_hex_bytes(pub->publicArea.unique.rsa.buffer,
pub->publicArea.unique.rsa.size);
}
else if (pub->publicArea.type == TPM_ALG_ECC) {
const char* curveName = "NULL";
#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
curveName = wc_ecc_get_name(
TPM2_GetWolfCurve(pub->publicArea.parameters.eccDetail.curveID));
#endif
printf("\tCurveID %s (0x%x), size %d, unique X/Y size %d/%d\n",
curveName, pub->publicArea.parameters.eccDetail.curveID,
TPM2_GetCurveSize(pub->publicArea.parameters.eccDetail.curveID),
pub->publicArea.unique.ecc.x.size,
pub->publicArea.unique.ecc.y.size);
dump_hex_bytes(pub->publicArea.unique.ecc.x.buffer,
pub->publicArea.unique.ecc.x.size);
dump_hex_bytes(pub->publicArea.unique.ecc.y.buffer,
pub->publicArea.unique.ecc.y.size);
}
}
static int DecodeAsn1Tag(const uint8_t* input, int inputSz, int* inOutIdx,
int* tag_len, uint8_t tag)
{
int rc = -1; /* default to fail case */
int tag_len_bytes = 1;
*tag_len = 0; /* reset tag length */
if (input[*inOutIdx] == tag) { /* check tag is expected */
(*inOutIdx)++; /* skip asn.1 tag */
if (input[*inOutIdx] & ASN_LONG_LENGTH) {
tag_len_bytes = (int)(input[*inOutIdx] & 0x7F);
if (tag_len_bytes > 4) {
return -1; /* too long */
}
(*inOutIdx)++; /* skip long length field */
}
while (tag_len_bytes--) {
*tag_len = (*tag_len << 8) | input[*inOutIdx];
(*inOutIdx)++; /* skip length */
}
if (*tag_len + *inOutIdx <= inputSz) { /* check length */
rc = 0;
}
}
return rc;
}
static int RsaDecodeSignature(uint8_t** pInput, int inputSz)
{
int rc;
uint8_t* input = *pInput;
int idx = 0;
int tot_len, algo_len, digest_len = 0;
/* sequence - total size */
rc = DecodeAsn1Tag(input, inputSz, &idx, &tot_len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
if (rc == 0) {
/* sequence - algoid */
rc = DecodeAsn1Tag(input, inputSz, &idx, &algo_len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += algo_len; /* skip algoid */
/* digest */
rc = DecodeAsn1Tag(input, inputSz, &idx, &digest_len, ASN_OCTET_STRING);
}
if (rc == 0) {
/* return digest buffer pointer */
*pInput = &input[idx];
rc = digest_len;
}
return rc;
}
static int DecodeX509Cert(uint8_t* input, int inputSz, DecodedX509* x509)
{
int rc;
int idx = 0;
int tot_len, cert_len = 0, len, pubkey_len = 0, sig_len = 0;
/* sequence - total size */
rc = DecodeAsn1Tag(input, inputSz, &idx, &tot_len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
if (rc == 0) {
x509->certBegin = idx;
x509->cert = &input[idx];
/* sequence - cert */
rc = DecodeAsn1Tag(input, inputSz, &idx, &cert_len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
x509->certSz = cert_len + (idx - x509->certBegin);
/* cert - version */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED));
}
if (rc == 0) {
/* check version == 1 */
if (input[idx] != ASN_INTEGER && input[idx] != 1) {
rc = -1;
}
}
if (rc == 0) {
idx += len; /* skip version */
/* cert - serial */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len, ASN_INTEGER);
}
if (rc == 0) {
idx += len; /* skip serial */
/* cert - signature oid */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += len; /* skip signature oid */
/* cert - issuer */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += len; /* skip issuer */
/* cert - validity */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += len; /* skip validity */
/* cert - subject */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += len; /* skip subject */
/* cert - subject public key info */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
/* cert - subject public key alg oid */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
idx += len; /* skip alg oid */
/* cert - subject public key alg params */
rc = DecodeAsn1Tag(input, inputSz, &idx, &pubkey_len,
ASN_BIT_STRING);
}
if (rc == 0) {
/* skip leading zero for bit string */
if (input[idx] == 0x00) {
idx++;
pubkey_len--;
}
/* return pointer to public key */
x509->publicKey = &input[idx];
x509->pubKeySz = pubkey_len;
}
if (rc == 0) {
/* skip to start of signature */
idx = x509->certBegin + x509->certSz;
rc = DecodeAsn1Tag(input, inputSz, &idx, &len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
}
if (rc == 0) {
/* signature oid */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len, ASN_OBJECT_ID);
}
if (rc == 0) {
idx += len; /* skip oid */
/* sig algo params */
rc = DecodeAsn1Tag(input, inputSz, &idx, &len, ASN_TAG_NULL);
}
if (rc == 0) {
idx += len; /* skip tag */
/* signature bit string */
rc = DecodeAsn1Tag(input, inputSz, &idx, &sig_len,
ASN_BIT_STRING);
}
if (rc == 0) {
/* skip leading zero for bit string */
if (input[idx] == 0x00) {
idx++;
sig_len--;
}
/* signature */
x509->sigSz = sig_len;
x509->signature = &input[idx];
}
return rc;
}
static int DecodeRsaPubKey(uint8_t* input, int inputSz, TPM2B_PUBLIC* pub)
{
int rc;
int idx = 0;
int tot_len, mod_len = 0, exp_len = 0;
/* sequence - total size */
rc = DecodeAsn1Tag(input, inputSz, &idx, &tot_len,
(ASN_SEQUENCE | ASN_CONSTRUCTED));
if (rc == 0) {
/* modulus */
rc = DecodeAsn1Tag(input, inputSz, &idx, &mod_len, ASN_INTEGER);
}
if (rc == 0) {
/* skip leading zero if exists */
if (input[idx] == 0x00) {
idx++;
mod_len--;
}
if (mod_len > (int)sizeof(pub->publicArea.unique.rsa.buffer)) {
rc = -1;
}
}
if (rc == 0) {
/* Populate Modulus */
pub->publicArea.parameters.rsaDetail.keyBits = mod_len * 8;
pub->publicArea.unique.rsa.size = mod_len;
XMEMCPY(pub->publicArea.unique.rsa.buffer, &input[idx], mod_len);
}
if (rc == 0) {
idx += mod_len; /* skip modulus */
/* exponent */
rc = DecodeAsn1Tag(input, inputSz, &idx, &exp_len, ASN_INTEGER);
/* skip leading zero if exists */
if (input[idx] == 0x00) {
idx++;
exp_len--;
}
if (exp_len >
(int)sizeof(pub->publicArea.parameters.rsaDetail.exponent)) {
rc = -1;
}
}
if (rc == 0) {
XMEMCPY(&pub->publicArea.parameters.rsaDetail.exponent, &input[idx],
exp_len);
}
return rc;
}
static int RsaUnpadPkcsv15(uint8_t** pSig, int* sigSz)
{
int rc = -1; /* default to error */
uint8_t* sig = *pSig;
int idx = 0;
/* RSA PKCSv1.5 unpad */
if (sig[idx++] == 0x00 && sig[idx++] == RSA_BLOCK_TYPE_1) {
/* skip padding 0xFF's */
while (idx < *sigSz) {
if (sig[idx] != 0xFF)
break;
idx++;
}
/* verify 0x00 after pad */
if (sig[idx++] == 0x00) {
/* success unpadding */
rc = 0;
*pSig = &sig[idx];
*sigSz -= idx;
}
}
return rc;
}
int TPM2_EndorsementCertVerify_Example(void* userCtx, int argc, char *argv[])
{
int rc = -1;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY endorse;
TPMS_NV_PUBLIC nvPublic;
WOLFTPM2_KEY issuer;
WOLFTPM2_NV nv;
WOLFTPM2_HASH hash;
TPMT_PUBLIC publicTemplate;
TPM2B_PUBLIC ekPub;
DecodedX509 issuerX509, ekX509;
uint32_t nvIndex = TPM2_NV_RSA_EK_CERT; /* RSA 2048-bit EK Cert Index */
uint8_t cert[MAX_CERT_SZ]; /* buffer to hold device cert from NV */
uint32_t certSz;
TPM_ALG_ID hashAlg = TPM_ALG_SHA384; /* Signer uses SHA2-384 */
uint8_t hashBuf[TPM_MAX_DIGEST_SIZE]; /* hash of device cert, for verify */
uint32_t hashSz = 0;
uint8_t sig[512]; /* 4096-bit max, hold decrypted signature */
int sigSz = (int)sizeof(sig);
uint8_t* sigDigest; /* offset to digest in signature */
int sigDigestSz = 0;
XMEMSET(&endorse, 0, sizeof(endorse));
XMEMSET(&nvPublic, 0, sizeof(nvPublic));
XMEMSET(&issuer, 0, sizeof(issuer));
XMEMSET(&nv, 0, sizeof(nv));
XMEMSET(&hash, 0, sizeof(hash));
XMEMSET(&issuerX509, 0, sizeof(issuerX509));
XMEMSET(&ekX509, 0, sizeof(ekX509));
XMEMSET(&ekPub, 0, sizeof(ekPub));
if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
XSTRCMP(argv[1], "-h") == 0 ||
XSTRCMP(argv[1], "--help") == 0) {
usage();
return 0;
}
}
printf("Endorsement Certificate Verify\n");
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != TPM_RC_SUCCESS) {
printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
goto exit;
}
/* Get Endorsement Public Key template using NV index */
rc = wolfTPM2_GetKeyTemplate_EKIndex(nvIndex, &publicTemplate);
if (rc != 0) {
printf("EK Index 0x%08x not valid\n", nvIndex);
goto exit;
}
/* Read Public portion of NV to get actual size */
if (rc == 0)
rc = wolfTPM2_NVReadPublic(&dev, nvIndex, &nvPublic);
if (rc != 0) {
printf("Failed to read public for NV Index 0x%08x\n", nvIndex);
}
if (rc == 0) { /* Read data */
certSz = (uint32_t)sizeof(cert);
if (certSz > nvPublic.dataSize) {
certSz = nvPublic.dataSize;
}
rc = wolfTPM2_NVReadAuth(&dev, &nv, nvIndex, cert, &certSz, 0);
if (rc == 0) {
#ifdef DEBUG_WOLFTPM
printf("EK Data: %d\n", certSz);
TPM2_PrintBin(cert, certSz);
#endif
}
}
/* Create Endorsement Key */
if (rc == 0) {
/* Create Endorsement Key using EK auth policy */
printf("Creating Endorsement Key\n");
rc = wolfTPM2_CreatePrimaryKey(&dev, &endorse, TPM_RH_ENDORSEMENT,
&publicTemplate, NULL, 0);
if (rc != 0) goto exit;
printf("Endorsement key loaded at handle 0x%08x\n",
endorse.handle.hndl);
/* Display EK public information */
show_tpm_public("EK", &endorse.pub);
}
if (rc == 0) {
/* Parse device certificate and extract public key */
rc = DecodeX509Cert(cert, certSz, &ekX509);
if (rc == 0) {
/* Parse RSA Public Key Raw Modulus */
rc = DecodeRsaPubKey((uint8_t*)ekX509.publicKey, ekX509.pubKeySz,
&ekPub);
}
}
if (rc == 0) {
/* Compare certificate public key with generated EK public key */
if (ekPub.publicArea.unique.rsa.size !=
endorse.pub.publicArea.unique.rsa.size ||
XMEMCMP(ekPub.publicArea.unique.rsa.buffer,
endorse.pub.publicArea.unique.rsa.buffer,
endorse.pub.publicArea.unique.rsa.size) != 0)
{
printf("Error: Generated EK public key does not match NV cert "
"public key!\n");
rc = -1;
}
}
if (rc == 0) {
/* Hash certificate (excluding signature) */
rc = wolfTPM2_HashStart(&dev, &hash, hashAlg, NULL, 0);
if (rc == 0) {
rc = wolfTPM2_HashUpdate(&dev, &hash, ekX509.cert, ekX509.certSz);
if (rc == 0) {
hashSz = sizeof(hashBuf);
rc = wolfTPM2_HashFinish(&dev, &hash, hashBuf, &hashSz);
}
printf("Cert Hash: %d\n", hashSz);
dump_hex_bytes(hashBuf, hashSz);
}
}
if (rc == 0) {
/* Parse and extract the issuer's public key modulus from certificate */
rc = DecodeX509Cert((uint8_t*)kSTSAFEIntCa20,
(int)sizeof(kSTSAFEIntCa20), &issuerX509);
if (rc == 0) {
/* Parse RSA Public Key Raw Modulus */
rc = DecodeRsaPubKey((uint8_t*)issuerX509.publicKey,
issuerX509.pubKeySz, &issuer.pub);
}
}
if (rc == 0) {
printf("Issuer Public Exponent 0x%x, Modulus %d\n",
issuer.pub.publicArea.parameters.rsaDetail.exponent,
issuer.pub.publicArea.unique.rsa.size);
dump_hex_bytes(issuer.pub.publicArea.unique.rsa.buffer,
issuer.pub.publicArea.unique.rsa.size);
/* Import issuer certificate public key */
issuer.pub.publicArea.type = TPM_ALG_RSA;
issuer.pub.publicArea.nameAlg = hashAlg;
issuer.pub.publicArea.objectAttributes = (TPMA_OBJECT_decrypt);
issuer.pub.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
issuer.pub.publicArea.parameters.rsaDetail.scheme.details.anySig.hashAlg = hashAlg;
issuer.pub.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
rc = wolfTPM2_LoadPublicKey(&dev, &issuer, &issuer.pub);
}
if (rc == 0) {
/* Display Cert public information */
show_tpm_public("Issuer", &issuer.pub);
printf("EK Certificate Signature: %d\n", ekX509.sigSz);
dump_hex_bytes(ekX509.signature, ekX509.sigSz);
/* RSA Public Decrypt EK certificate signature */
rc = wolfTPM2_RsaEncrypt(&dev, &issuer,
TPM_ALG_NULL, /* no padding */
ekX509.signature, ekX509.sigSz,
sig, &sigSz);
if (rc != 0) {
printf("RSA Public Failed!\n");
goto exit;
}
printf("Decrypted Sig: %d\n", sigSz);
dump_hex_bytes(sig, sigSz);
}
if (rc == 0) {
sigDigest = sig;
rc = RsaUnpadPkcsv15(&sigDigest, &sigSz);
}
if (rc == 0) {
rc = RsaDecodeSignature(&sigDigest, sigSz);
if (rc > 0) {
sigDigestSz = rc;
rc = 0;
}
}
if (rc == 0) {
printf("Expected Hash: %d\n", hashSz);
dump_hex_bytes(hashBuf, hashSz);
printf("Sig Hash: %d\n", sigDigestSz);
dump_hex_bytes(sigDigest, sigDigestSz);
/* Compare certificate hash with signature hash */
if (sigDigestSz == (int)hashSz &&
memcmp(sigDigest, hashBuf, hashSz) == 0) {
printf("Certificate signature is valid\n");
}
else {
printf("Error: Certificate signature is invalid!\n");
rc = -1;
}
}
exit:
if (rc != 0) {
printf("Error verifying EK certificate! %s (%d)\n",
TPM2_GetRCString(rc), rc);
}
wolfTPM2_UnloadHandle(&dev, &issuer.handle);
wolfTPM2_UnloadHandle(&dev, &endorse.handle);
wolfTPM2_Cleanup(&dev);
return rc;
}
/******************************************************************************/
/* --- END TPM2.0 Endorsement certificate tool -- */
/******************************************************************************/
#endif /* !WOLFTPM2_NO_WRAPPER */
#ifndef NO_MAIN_DRIVER
int main(int argc, char *argv[])
{
int rc = -1;
#ifndef WOLFTPM2_NO_WRAPPER
rc = TPM2_EndorsementCertVerify_Example(NULL, argc, argv);
#else
printf("Wrapper code not compiled in\n");
(void)argc;
(void)argv;
#endif /* !WOLFTPM2_NO_WRAPPER */
return rc;
}
#endif