search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Documented gnutls_certificate_verification_status_print().
[gnutls.git] / lib / tpm.c
blobe9c8123ae60af45c04e6a01c0c3a34ef6e8d28ec
1 /*
2 * OpenConnect (SSL + DTLS) VPN client
3 *
4 * Copyright © 2012 Free Software Foundation.
5 * Copyright © 2008-2012 Intel Corporation.
6 *
7 * Author: David Woodhouse <dwmw2@infradead.org>
8 * Author: Nikos Mavrogiannopoulos
9 *
10 * GnuTLS is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 3 of
13 * the License, or (at your option) any later version.
14 *
15 * This library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with this program. If not, see <http://www.gnu.org/licenses/>
22 *
23 */
24
25 /*
26 * TPM code based on client-tpm.c from
27 * Carolin Latze <latze@angry-red-pla.net> and Tobias Soder
28 */
29
30 #include <gnutls/gnutls.h>
31 #include <gnutls/abstract.h>
32 #include <gnutls/tpm.h>
33
34 #include <gnutls_int.h>
35 #include <gnutls_errors.h>
36 #include <pkcs11_int.h>
37 #include <x509/common.h>
38 #include <x509_b64.h>
39 #include <random.h>
40 #include <pin.h>
41
42 #include <trousers/tss.h>
43 #include <trousers/trousers.h>
44
45 struct tpm_ctx_st
46 {
47 TSS_HCONTEXT tpm_ctx;
48 TSS_HKEY tpm_key;
49 TSS_HPOLICY tpm_key_policy;
50 TSS_HKEY srk;
51 TSS_HPOLICY srk_policy;
52 };
53
54 struct tpm_key_list_st
55 {
56 UINT32 size;
57 TSS_KM_KEYINFO2 * ki;
58 TSS_HCONTEXT tpm_ctx;
59 };
60
61 static void tpm_close_session(struct tpm_ctx_st *s);
62 static int import_tpm_key (gnutls_privkey_t pkey,
63 const gnutls_datum_t * fdata,
64 gnutls_tpmkey_fmt_t format,
65 TSS_UUID *uuid,
66 TSS_FLAG storage_type,
67 const char *srk_password,
68 const char *key_password);
69 static int encode_tpmkey_url(char** url, const TSS_UUID* uuid, TSS_FLAG storage);
70
71 /* TPM URL format:
72 *
73 * tpmkey:file=/path/to/file
74 * tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user
75 * tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=system
76 *
77 */
78
79
80 static int tss_err_pwd(TSS_RESULT err, int pwd_error)
81 {
82 _gnutls_debug_log("TPM (%s) error: %s (%x)\n", Trspi_Error_Layer(err), Trspi_Error_String(err), (unsigned int)Trspi_Error_Code(err));
83
84 switch(ERROR_LAYER(err))
85 {
86 case TSS_LAYER_TPM:
87 switch(ERROR_CODE(err))
88 {
89 case TPM_E_AUTHFAIL:
90 return pwd_error;
91 case TPM_E_NOSRK:
92 return GNUTLS_E_TPM_UNINITIALIZED;
93 default:
94 return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
95 }
96 case TSS_LAYER_TCS:
97 case TSS_LAYER_TSP:
98 switch(ERROR_CODE(err))
99 {
100 case TSS_E_COMM_FAILURE:
101 case TSS_E_NO_CONNECTION:
102 case TSS_E_CONNECTION_FAILED:
103 case TSS_E_CONNECTION_BROKEN:
104 return GNUTLS_E_TPM_SESSION_ERROR;
105 case TSS_E_PS_KEY_NOTFOUND:
106 return GNUTLS_E_TPM_KEY_NOT_FOUND;
107 default:
108 return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
109 }
110 default:
111 return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
112 }
113 }
114
115 #define tss_err(x) tss_err_pwd(x, GNUTLS_E_TPM_SRK_PASSWORD_ERROR)
116 #define tss_err_key(x) tss_err_pwd(x, GNUTLS_E_TPM_KEY_PASSWORD_ERROR)
117
118 static void
119 tpm_deinit_fn (gnutls_privkey_t key, void *_s)
120 {
121 struct tpm_ctx_st *s = _s;
122
123 Tspi_Context_CloseObject (s->tpm_ctx, s->tpm_key_policy);
124 Tspi_Context_CloseObject (s->tpm_ctx, s->tpm_key);
125
126 tpm_close_session(s);
127 gnutls_free (s);
128 }
129
130 static int
131 tpm_sign_fn (gnutls_privkey_t key, void *_s,
132 const gnutls_datum_t * data, gnutls_datum_t * sig)
133 {
134 struct tpm_ctx_st *s = _s;
135 TSS_HHASH hash;
136 int err;
137
138 _gnutls_debug_log ("TPM sign function called for %u bytes.\n",
139 data->size);
140
141 err =
142 Tspi_Context_CreateObject (s->tpm_ctx,
143 TSS_OBJECT_TYPE_HASH, TSS_HASH_OTHER,
144 &hash);
145 if (err)
146 {
147 gnutls_assert ();
148 _gnutls_debug_log ("Failed to create TPM hash object: %s\n",
149 Trspi_Error_String (err));
150 return GNUTLS_E_PK_SIGN_FAILED;
151 }
152 err = Tspi_Hash_SetHashValue (hash, data->size, data->data);
153 if (err)
154 {
155 gnutls_assert ();
156 _gnutls_debug_log ("Failed to set value in TPM hash object: %s\n",
157 Trspi_Error_String (err));
158 Tspi_Context_CloseObject (s->tpm_ctx, hash);
159 return GNUTLS_E_PK_SIGN_FAILED;
160 }
161 err = Tspi_Hash_Sign (hash, s->tpm_key, &sig->size, &sig->data);
162 Tspi_Context_CloseObject (s->tpm_ctx, hash);
163 if (err)
164 {
165 if (s->tpm_key_policy || err != TPM_E_AUTHFAIL)
166 _gnutls_debug_log ("TPM hash signature failed: %s\n",
167 Trspi_Error_String (err));
168 if (err == TPM_E_AUTHFAIL)
169 return GNUTLS_E_TPM_KEY_PASSWORD_ERROR;
170 else
171 return GNUTLS_E_PK_SIGN_FAILED;
172 }
173 return 0;
174 }
175
176 static const unsigned char nullpass[20];
177 static const gnutls_datum_t nulldata = {(void*)nullpass, 20};
178 const TSS_UUID srk_uuid = TSS_UUID_SRK;
179
180 static int tpm_pin(struct pin_info_st* pin_info, const TSS_UUID* uuid, TSS_FLAG storage,
181 char* pin, unsigned int pin_size, unsigned int attempts)
182 {
183 unsigned int flags = 0;
184 const char* label;
185 char* url = NULL;
186 int ret;
187
188 if (attempts > 0)
189 flags |= GNUTLS_PIN_WRONG;
190
191 if (uuid)
192 {
193 if (memcmp(uuid, &srk_uuid, sizeof(TSS_UUID)) == 0)
194 label = "SRK";
195 else
196 {
197 ret = encode_tpmkey_url(&url, uuid, storage);
198 if (ret < 0)
199 return gnutls_assert_val(ret);
200
201 label = url;
202 }
203 }
204 else
205 label = "unknown";
206
207 if (pin_info && pin_info->cb)
208 ret = pin_info->cb(pin_info->data, attempts, "TPM", label, flags, pin, pin_size);
209 else if (_gnutls_pin_func)
210 ret = _gnutls_pin_func(_gnutls_pin_data, attempts, "TPM", label, flags, pin, pin_size);
211 else
212 ret = gnutls_assert_val(GNUTLS_E_TPM_KEY_PASSWORD_ERROR); /* doesn't really matter */
213
214 if (ret < 0)
215 {
216 gnutls_assert();
217 goto cleanup;
218 }
219
220 ret = 0;
221 cleanup:
222 gnutls_free(url);
223 return ret;
224 }
225
226
227 static TSS_RESULT myTspi_Policy_SetSecret(TSS_HPOLICY hPolicy,
228 UINT32 ulSecretLength, BYTE* rgbSecret)
229 {
230 if (rgbSecret == NULL)
231 {
232 /* Well known NULL key */
233 return Tspi_Policy_SetSecret (hPolicy,
234 TSS_SECRET_MODE_SHA1,
235 sizeof (nullpass), (BYTE *) nullpass);
236 }
237 else /* key is given */
238 {
239 return Tspi_Policy_SetSecret (hPolicy, TSS_SECRET_MODE_PLAIN,
240 ulSecretLength, rgbSecret);
241 }
242 }
243
244 #define SAFE_LEN(x) (x==NULL?0:strlen(x))
245
246 static int tpm_open_session(struct tpm_ctx_st *s, const char* srk_password)
247 {
248 int err, ret;
249
250 err = Tspi_Context_Create (&s->tpm_ctx);
251 if (err)
252 {
253 gnutls_assert ();
254 return tss_err(err);
255 }
256
257 err = Tspi_Context_Connect (s->tpm_ctx, NULL);
258 if (err)
259 {
260 gnutls_assert ();
261 ret = tss_err(err);
262 goto out_tspi_ctx;
263 }
264
265 err =
266 Tspi_Context_LoadKeyByUUID (s->tpm_ctx, TSS_PS_TYPE_SYSTEM,
267 srk_uuid, &s->srk);
268 if (err)
269 {
270 gnutls_assert ();
271 ret = tss_err(err);
272 goto out_tspi_ctx;
273 }
274
275 err = Tspi_GetPolicyObject (s->srk, TSS_POLICY_USAGE, &s->srk_policy);
276 if (err)
277 {
278 gnutls_assert ();
279 ret = tss_err(err);
280 goto out_srk;
281 }
282
283 err = myTspi_Policy_SetSecret (s->srk_policy,
284 SAFE_LEN (srk_password), (BYTE *) srk_password);
285 if (err)
286 {
287 gnutls_assert ();
288 ret = tss_err(err);
289 goto out_srkpol;
290 }
291
292 return 0;
293
294 out_srkpol:
295 Tspi_Context_CloseObject (s->tpm_ctx, s->srk_policy);
296 s->srk_policy = 0;
297 out_srk:
298 Tspi_Context_CloseObject (s->tpm_ctx, s->srk);
299 s->srk = 0;
300 out_tspi_ctx:
301 Tspi_Context_Close (s->tpm_ctx);
302 s->tpm_ctx = 0;
303 return ret;
304
305 }
306
307 static void tpm_close_session(struct tpm_ctx_st *s)
308 {
309 Tspi_Context_CloseObject (s->tpm_ctx, s->srk_policy);
310 s->srk_policy = 0;
311 Tspi_Context_CloseObject (s->tpm_ctx, s->srk);
312 s->srk = 0;
313 Tspi_Context_Close (s->tpm_ctx);
314 s->tpm_ctx = 0;
315 }
316
317 static int
318 import_tpm_key_cb (gnutls_privkey_t pkey, const gnutls_datum_t * fdata,
319 gnutls_tpmkey_fmt_t format, TSS_UUID *uuid,
320 TSS_FLAG storage, const char *srk_password,
321 const char *key_password)
322 {
323 unsigned int attempts = 0;
324 char pin1[GNUTLS_PKCS11_MAX_PIN_LEN];
325 char pin2[GNUTLS_PKCS11_MAX_PIN_LEN];
326 int ret, ret2;
327
328 do
329 {
330 ret = import_tpm_key(pkey, fdata, format, uuid, storage, srk_password, key_password);
331
332 if (attempts > 3)
333 break;
334
335 if (ret == GNUTLS_E_TPM_SRK_PASSWORD_ERROR)
336 {
337 ret2 = tpm_pin(&pkey->pin, &srk_uuid, storage, pin1, sizeof(pin1), attempts++);
338 if (ret2 < 0)
339 {
340 gnutls_assert();
341 return GNUTLS_E_TPM_SRK_PASSWORD_ERROR;
342 }
343 srk_password = pin1;
344 }
345
346 if (ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR)
347 {
348 ret2 = tpm_pin(&pkey->pin, uuid, storage, pin2, sizeof(pin2), attempts++);
349 if (ret2 < 0)
350 {
351 gnutls_assert();
352 return GNUTLS_E_TPM_KEY_PASSWORD_ERROR;
353 }
354 key_password = pin2;
355 }
356 }
357 while(ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR || ret == GNUTLS_E_TPM_SRK_PASSWORD_ERROR);
358
359 if (ret < 0)
360 gnutls_assert();
361 return ret;
362 }
363
364 static int load_key(TSS_HCONTEXT tpm_ctx, TSS_HKEY srk,
365 const gnutls_datum_t * fdata, gnutls_tpmkey_fmt_t format,
366 TSS_HKEY* tpm_key)
367 {
368 int ret, err;
369 gnutls_datum_t asn1 = { NULL, 0 };
370 size_t slen;
371
372 if (format == GNUTLS_TPMKEY_FMT_CTK_PEM)
373 {
374 ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
375 if (ret)
376 {
377 gnutls_assert ();
378 _gnutls_debug_log ("Error decoding TSS key blob: %s\n",
379 gnutls_strerror (ret));
380 return ret;
381 }
382
383 slen = asn1.size;
384 ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size, asn1.data, &slen);
385 if (ret < 0)
386 {
387 gnutls_assert();
388 goto cleanup;
389 }
390 asn1.size = slen;
391 }
392 else /* DER */
393 {
394 UINT32 tint2;
395 UINT32 type;
396
397 asn1.size = fdata->size;
398 asn1.data = gnutls_malloc(asn1.size);
399 if (asn1.data == NULL)
400 {
401 gnutls_assert();
402 return GNUTLS_E_MEMORY_ERROR;
403 }
404
405 tint2 = asn1.size;
406 err = Tspi_DecodeBER_TssBlob(fdata->size, fdata->data, &type,
407 &tint2, asn1.data);
408 if (err != 0)
409 {
410 gnutls_assert();
411 ret = tss_err(err);
412 goto cleanup;
413 }
414
415 asn1.size = tint2;
416 }
417
418 /* ... we get it here instead. */
419 err = Tspi_Context_LoadKeyByBlob (tpm_ctx, srk,
420 asn1.size, asn1.data, tpm_key);
421 if (err != 0)
422 {
423 gnutls_assert ();
424 ret = tss_err(err);
425 goto cleanup;
426 }
427
428 ret = 0;
429
430 cleanup:
431 gnutls_free (asn1.data);
432
433 return ret;
434 }
435
436
437 static int
438 import_tpm_key (gnutls_privkey_t pkey,
439 const gnutls_datum_t * fdata,
440 gnutls_tpmkey_fmt_t format,
441 TSS_UUID *uuid,
442 TSS_FLAG storage,
443 const char *srk_password,
444 const char *key_password)
445 {
446 int err, ret;
447 struct tpm_ctx_st *s;
448 gnutls_datum_t tmp_sig;
449
450 s = gnutls_malloc (sizeof (*s));
451 if (s == NULL)
452 {
453 gnutls_assert ();
454 return GNUTLS_E_MEMORY_ERROR;
455 }
456
457 ret = tpm_open_session(s, srk_password);
458 if (ret < 0)
459 {
460 gnutls_assert();
461 goto out_ctx;
462 }
463
464 if (fdata != NULL)
465 {
466 ret = load_key(s->tpm_ctx, s->srk, fdata, format, &s->tpm_key);
467 if (ret < 0)
468 {
469 gnutls_assert();
470 goto out_session;
471 }
472 }
473 else if (uuid)
474 {
475 err =
476 Tspi_Context_LoadKeyByUUID (s->tpm_ctx, storage,
477 *uuid, &s->tpm_key);
478
479 if (err)
480 {
481 gnutls_assert ();
482 ret = tss_err(err);
483 goto out_session;
484 }
485 }
486 else
487 {
488 gnutls_assert();
489 ret = GNUTLS_E_INVALID_REQUEST;
490 goto out_session;
491 }
492
493 ret =
494 gnutls_privkey_import_ext2 (pkey, GNUTLS_PK_RSA, s,
495 tpm_sign_fn, NULL, tpm_deinit_fn, 0);
496 if (ret < 0)
497 {
498 gnutls_assert ();
499 goto out_session;
500 }
501
502 ret =
503 gnutls_privkey_sign_data (pkey, GNUTLS_DIG_SHA1, 0, &nulldata, &tmp_sig);
504 if (ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR)
505 {
506 if (!s->tpm_key_policy)
507 {
508 err = Tspi_Context_CreateObject (s->tpm_ctx,
509 TSS_OBJECT_TYPE_POLICY,
510 TSS_POLICY_USAGE,
511 &s->tpm_key_policy);
512 if (err)
513 {
514 gnutls_assert ();
515 ret = tss_err(err);
516 goto out_key;
517 }
518
519 err = Tspi_Policy_AssignToObject (s->tpm_key_policy, s->tpm_key);
520 if (err)
521 {
522 gnutls_assert ();
523 ret = tss_err(err);
524 goto out_key_policy;
525 }
526 }
527
528 err = myTspi_Policy_SetSecret (s->tpm_key_policy,
529 SAFE_LEN(key_password), (void *) key_password);
530
531 if (err)
532 {
533 gnutls_assert ();
534 ret = tss_err_key(err);
535 goto out_key_policy;
536 }
537 }
538 else if (ret < 0)
539 {
540 gnutls_assert ();
541 goto out_session;
542 }
543
544 return 0;
545 out_key_policy:
546 Tspi_Context_CloseObject (s->tpm_ctx, s->tpm_key_policy);
547 s->tpm_key_policy = 0;
548 out_key:
549 Tspi_Context_CloseObject (s->tpm_ctx, s->tpm_key);
550 s->tpm_key = 0;
551 out_session:
552 tpm_close_session(s);
553 out_ctx:
554 gnutls_free (s);
555 return ret;
556 }
557
558 /**
559 * gnutls_privkey_import_tpm_raw:
560 * @pkey: The private key
561 * @fdata: The TPM key to be imported
562 * @format: The format of the private key
563 * @srk_password: The password for the SRK key (optional)
564 * @key_password: A password for the key (optional)
565 * @flags: should be zero
566 *
567 * This function will import the given private key to the abstract
568 * #gnutls_privkey_t structure.
569 *
570 * With respect to passwords the same as in gnutls_privkey_import_tpm_url() apply.
571 *
572 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
573 * negative error value.
574 *
575 * Since: 3.1.0
576 *
577 **/
578 int
579 gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
580 const gnutls_datum_t * fdata,
581 gnutls_tpmkey_fmt_t format,
582 const char *srk_password,
583 const char *key_password,
584 unsigned int flags)
585 {
586 if (flags & GNUTLS_PRIVKEY_DISABLE_CALLBACKS)
587 return import_tpm_key(pkey, fdata, format, NULL, 0, srk_password, key_password);
588 else
589 return import_tpm_key_cb(pkey, fdata, format, NULL, 0, srk_password, key_password);
590 }
591
592 struct tpmkey_url_st
593 {
594 char* filename;
595 TSS_UUID uuid;
596 TSS_FLAG storage;
597 unsigned int uuid_set;
598 };
599
600 static void clear_tpmkey_url(struct tpmkey_url_st *s)
601 {
602 gnutls_free(s->filename);
603 memset(s, 0, sizeof(*s));
604 }
605
606 static int
607 unescape_string (char *output, const char *input, size_t * size,
608 char terminator)
609 {
610 gnutls_buffer_st str;
611 int ret = 0;
612 char *p;
613 int len;
614
615 _gnutls_buffer_init (&str);
616
617 /* find terminator */
618 p = strchr (input, terminator);
619 if (p != NULL)
620 len = p - input;
621 else
622 len = strlen (input);
623
624 ret = _gnutls_buffer_append_data (&str, input, len);
625 if (ret < 0)
626 {
627 gnutls_assert ();
628 return ret;
629 }
630
631 ret = _gnutls_buffer_unescape (&str);
632 if (ret < 0)
633 {
634 gnutls_assert ();
635 return ret;
636 }
637
638 ret = _gnutls_buffer_append_data (&str, "", 1);
639 if (ret < 0)
640 {
641 gnutls_assert ();
642 return ret;
643 }
644
645 _gnutls_buffer_pop_data (&str, output, size);
646
647 _gnutls_buffer_clear (&str);
648
649 return ret;
650 }
651
652 #define UUID_SIZE 16
653
654 static int randomize_uuid(TSS_UUID* uuid)
655 {
656 uint8_t raw_uuid[16];
657 int ret;
658
659 ret = _gnutls_rnd (GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid));
660 if (ret < 0)
661 return gnutls_assert_val(ret);
662
663 /* mark it as random uuid */
664 raw_uuid[6] &= 0x0f;
665 raw_uuid[6] |= 0x40;
666 raw_uuid[8] &= 0x0f;
667 raw_uuid[8] |= 0x80;
668
669 memcpy(&uuid->ulTimeLow, raw_uuid, 4);
670 memcpy(&uuid->usTimeMid, &raw_uuid[4], 2);
671 memcpy(&uuid->usTimeHigh, &raw_uuid[6], 2);
672 uuid->bClockSeqHigh = raw_uuid[8];
673 uuid->bClockSeqLow = raw_uuid[9];
674 memcpy(&uuid->rgbNode, &raw_uuid[10], 6);
675
676 return 0;
677 }
678
679 static int encode_tpmkey_url(char** url, const TSS_UUID* uuid, TSS_FLAG storage)
680 {
681 size_t size = (UUID_SIZE*2+4)*2+32;
682 uint8_t u1[UUID_SIZE];
683 gnutls_buffer_st buf;
684 gnutls_datum_t dret;
685 int ret;
686
687 *url = gnutls_malloc(size);
688 if (*url == NULL)
689 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
690
691 _gnutls_buffer_init(&buf);
692
693 memcpy(u1, &uuid->ulTimeLow, 4);
694 memcpy(&u1[4], &uuid->usTimeMid, 2);
695 memcpy(&u1[6], &uuid->usTimeHigh, 2);
696 u1[8] = uuid->bClockSeqHigh;
697 u1[9] = uuid->bClockSeqLow;
698 memcpy(&u1[10], uuid->rgbNode, 6);
699
700 ret = _gnutls_buffer_append_str(&buf, "tpmkey:uuid=");
701 if (ret < 0)
702 {
703 gnutls_assert();
704 goto cleanup;
705 }
706
707 ret = _gnutls_buffer_append_printf(&buf, "%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
708 (unsigned int)u1[0], (unsigned int)u1[1], (unsigned int)u1[2], (unsigned int)u1[3],
709 (unsigned int)u1[4], (unsigned int)u1[5], (unsigned int)u1[6], (unsigned int)u1[7],
710 (unsigned int)u1[8], (unsigned int)u1[9], (unsigned int)u1[10], (unsigned int)u1[11],
711 (unsigned int)u1[12], (unsigned int)u1[13], (unsigned int)u1[14], (unsigned int)u1[15]);
712 if (ret < 0)
713 {
714 gnutls_assert();
715 goto cleanup;
716 }
717
718 ret = _gnutls_buffer_append_printf(&buf, ";storage=%s", (storage==TSS_PS_TYPE_USER)?"user":"system");
719 if (ret < 0)
720 {
721 gnutls_assert();
722 goto cleanup;
723 }
724
725 ret = _gnutls_buffer_to_datum(&buf, &dret);
726 if (ret < 0)
727 {
728 gnutls_assert();
729 goto cleanup;
730 }
731
732 *url = (char*)dret.data;
733
734 return 0;
735 cleanup:
736 _gnutls_buffer_clear(&buf);
737 return ret;
738 }
739
740 static int decode_tpmkey_url(const char* url, struct tpmkey_url_st *s)
741 {
742 char* p;
743 size_t size;
744 int ret;
745 unsigned int i, j;
746
747 if (strstr (url, "tpmkey:") == NULL)
748 return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
749
750 memset(s, 0, sizeof(*s));
751
752 p = strstr(url, "file=");
753 if (p != NULL)
754 {
755 p += sizeof ("file=") - 1;
756 size = strlen(p);
757 s->filename = gnutls_malloc(size+1);
758 if (s->filename == NULL)
759 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
760
761 ret = unescape_string (s->filename, p, &size, ';');
762 if (ret < 0)
763 {
764 gnutls_assert();
765 goto cleanup;
766 }
767 s->filename[size] = 0;
768 }
769 else if ((p = strstr(url, "uuid=")) != NULL)
770 {
771 char tmp_uuid[33];
772 uint8_t raw_uuid[16];
773
774 p += sizeof ("uuid=") - 1;
775 size = strlen(p);
776
777 for (j=i=0;i<size;i++)
778 {
779 if (j==sizeof(tmp_uuid)-1)
780 {
781 break;
782 }
783 if (isalnum(p[i])) tmp_uuid[j++]=p[i];
784 }
785 tmp_uuid[j] = 0;
786
787 size = sizeof(raw_uuid);
788 ret = _gnutls_hex2bin(tmp_uuid, strlen(tmp_uuid), raw_uuid, &size);
789 if (ret < 0)
790 {
791 gnutls_assert();
792 goto cleanup;
793 }
794
795 memcpy(&s->uuid.ulTimeLow, raw_uuid, 4);
796 memcpy(&s->uuid.usTimeMid, &raw_uuid[4], 2);
797 memcpy(&s->uuid.usTimeHigh, &raw_uuid[6], 2);
798 s->uuid.bClockSeqHigh = raw_uuid[8];
799 s->uuid.bClockSeqLow = raw_uuid[9];
800 memcpy(&s->uuid.rgbNode, &raw_uuid[10], 6);
801 s->uuid_set = 1;
802 }
803 else
804 {
805 return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
806 }
807
808 if ((p = strstr(url, "storage=user")) != NULL)
809 s->storage = TSS_PS_TYPE_USER;
810 else
811 s->storage = TSS_PS_TYPE_SYSTEM;
812
813 return 0;
814
815 cleanup:
816 clear_tpmkey_url(s);
817 return ret;
818 }
819
820 /**
821 * gnutls_privkey_import_tpm_url:
822 * @pkey: The private key
823 * @url: The URL of the TPM key to be imported
824 * @srk_password: The password for the SRK key (optional)
825 * @key_password: A password for the key (optional)
826 * @flags: One of the GNUTLS_PRIVKEY_* flags
827 *
828 * This function will import the given private key to the abstract
829 * #gnutls_privkey_t structure.
830 *
831 * Note that unless %GNUTLS_PRIVKEY_DISABLE_CALLBACKS
832 * is specified, if incorrect (or NULL) passwords are given
833 * the PKCS11 callback functions will be used to obtain the
834 * correct passwords. Otherwise if the SRK password is wrong
835 * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned and if the key password
836 * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR
837 * is returned.
838 *
839 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
840 * negative error value.
841 *
842 * Since: 3.1.0
843 *
844 **/
845 int
846 gnutls_privkey_import_tpm_url (gnutls_privkey_t pkey,
847 const char* url,
848 const char *srk_password,
849 const char *key_password,
850 unsigned int flags)
851 {
852 struct tpmkey_url_st durl;
853 gnutls_datum_t fdata = { NULL, 0 };
854 int ret;
855
856 ret = decode_tpmkey_url(url, &durl);
857 if (ret < 0)
858 return gnutls_assert_val(ret);
859
860 if (durl.filename)
861 {
862 ret = gnutls_load_file(durl.filename, &fdata);
863 if (ret < 0)
864 {
865 gnutls_assert();
866 _gnutls_debug_log("Error loading %s\n", durl.filename);
867 goto cleanup;
868 }
869
870 ret = gnutls_privkey_import_tpm_raw (pkey, &fdata, GNUTLS_TPMKEY_FMT_CTK_PEM,
871 srk_password, key_password, flags);
872 if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
873 ret = gnutls_privkey_import_tpm_raw (pkey, &fdata, GNUTLS_TPMKEY_FMT_DER,
874 srk_password, key_password, flags);
875
876 if (ret < 0)
877 {
878 gnutls_assert();
879 goto cleanup;
880 }
881 }
882 else if (durl.uuid_set)
883 {
884 if (flags & GNUTLS_PRIVKEY_DISABLE_CALLBACKS)
885 ret = import_tpm_key (pkey, NULL, 0, &durl.uuid, durl.storage, srk_password, key_password);
886 else
887 ret = import_tpm_key_cb (pkey, NULL, 0, &durl.uuid, durl.storage, srk_password, key_password);
888 if (ret < 0)
889 {
890 gnutls_assert();
891 goto cleanup;
892 }
893 }
894
895 ret = 0;
896 cleanup:
897 gnutls_free(fdata.data);
898 clear_tpmkey_url(&durl);
899 return ret;
900 }
901
902
903 /* reads the RSA public key from the given TSS key.
904 * If psize is non-null it contains the total size of the parameters
905 * in bytes */
906 static int read_pubkey(gnutls_pubkey_t pub, TSS_HKEY key_ctx, size_t *psize)
907 {
908 void* tdata;
909 UINT32 tint;
910 TSS_RESULT tssret;
911 gnutls_datum_t m, e;
912 int ret;
913
914 /* read the public key */
915
916 tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
917 TSS_TSPATTRIB_KEYINFO_RSA_MODULUS, &tint, (void*)&tdata);
918 if (tssret != 0)
919 {
920 gnutls_assert();
921 return tss_err(tssret);
922 }
923
924 m.data = tdata;
925 m.size = tint;
926
927 tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
928 TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT, &tint, (void*)&tdata);
929 if (tssret != 0)
930 {
931 gnutls_assert();
932 Tspi_Context_FreeMemory(key_ctx, m.data);
933 return tss_err(tssret);
934 }
935
936 e.data = tdata;
937 e.size = tint;
938
939 ret = gnutls_pubkey_import_rsa_raw(pub, &m, &e);
940
941 Tspi_Context_FreeMemory(key_ctx, m.data);
942 Tspi_Context_FreeMemory(key_ctx, e.data);
943
944 if (ret < 0)
945 return gnutls_assert_val(ret);
946
947 if (psize)
948 *psize = e.size + m.size;
949
950 return 0;
951 }
952
953
954
955 static int
956 import_tpm_pubkey (gnutls_pubkey_t pkey,
957 const gnutls_datum_t * fdata,
958 gnutls_tpmkey_fmt_t format,
959 TSS_UUID *uuid,
960 TSS_FLAG storage,
961 const char *srk_password)
962 {
963 int err, ret;
964 struct tpm_ctx_st s;
965
966 ret = tpm_open_session(&s, srk_password);
967 if (ret < 0)
968 return gnutls_assert_val(ret);
969
970 if (fdata != NULL)
971 {
972 ret = load_key(s.tpm_ctx, s.srk, fdata, format, &s.tpm_key);
973 if (ret < 0)
974 {
975 gnutls_assert();
976 goto out_session;
977 }
978 }
979 else if (uuid)
980 {
981 err =
982 Tspi_Context_LoadKeyByUUID (s.tpm_ctx, storage,
983 *uuid, &s.tpm_key);
984 if (err)
985 {
986 gnutls_assert ();
987 ret = tss_err(err);
988 goto out_session;
989 }
990 }
991 else
992 {
993 gnutls_assert();
994 ret = GNUTLS_E_INVALID_REQUEST;
995 goto out_session;
996 }
997
998 ret = read_pubkey(pkey, s.tpm_key, NULL);
999 if (ret < 0)
1000 {
1001 gnutls_assert();
1002 goto out_session;
1003 }
1004
1005 ret = 0;
1006 out_session:
1007 tpm_close_session(&s);
1008 return ret;
1009 }
1010
1011 static int
1012 import_tpm_pubkey_cb (gnutls_pubkey_t pkey,
1013 const gnutls_datum_t * fdata,
1014 gnutls_tpmkey_fmt_t format,
1015 TSS_UUID *uuid,
1016 TSS_FLAG storage,
1017 const char *srk_password)
1018 {
1019 unsigned int attempts = 0;
1020 char pin1[GNUTLS_PKCS11_MAX_PIN_LEN];
1021 int ret;
1022
1023 do
1024 {
1025 ret = import_tpm_pubkey(pkey, fdata, format, uuid, storage, srk_password);
1026
1027 if (attempts > 3)
1028 break;
1029
1030 if (ret == GNUTLS_E_TPM_SRK_PASSWORD_ERROR)
1031 {
1032 ret = tpm_pin(&pkey->pin, &srk_uuid, storage, pin1, sizeof(pin1), attempts++);
1033 if (ret < 0)
1034 {
1035 gnutls_assert();
1036 return GNUTLS_E_TPM_SRK_PASSWORD_ERROR;
1037 }
1038 srk_password = pin1;
1039 }
1040 }
1041 while(ret == GNUTLS_E_TPM_SRK_PASSWORD_ERROR);
1042
1043 if (ret < 0)
1044 gnutls_assert();
1045 return ret;
1046 }
1047
1048
1049 /**
1050 * gnutls_pubkey_import_tpm_raw:
1051 * @pkey: The public key
1052 * @fdata: The TPM key to be imported
1053 * @format: The format of the private key
1054 * @srk_password: The password for the SRK key (optional)
1055 * @flags: One of the GNUTLS_PUBKEY_* flags
1056 *
1057 * This function will import the public key from the provided TPM key
1058 * structure.
1059 *
1060 * With respect to passwords the same as in
1061 * gnutls_pubkey_import_tpm_url() apply.
1062 *
1063 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1064 * negative error value.
1065 *
1066 * Since: 3.1.0
1067 **/
1068 int
1069 gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey,
1070 const gnutls_datum_t * fdata,
1071 gnutls_tpmkey_fmt_t format,
1072 const char *srk_password,
1073 unsigned int flags)
1074 {
1075 if (flags & GNUTLS_PUBKEY_DISABLE_CALLBACKS)
1076 return import_tpm_pubkey_cb(pkey, fdata, format, NULL, 0, srk_password);
1077 else
1078 return import_tpm_pubkey(pkey, fdata, format, NULL, 0, srk_password);
1079 }
1080
1081 /**
1082 * gnutls_pubkey_import_tpm_url:
1083 * @pkey: The public key
1084 * @url: The URL of the TPM key to be imported
1085 * @srk_password: The password for the SRK key (optional)
1086 * @flags: should be zero
1087 *
1088 * This function will import the given private key to the abstract
1089 * #gnutls_privkey_t structure.
1090 *
1091 * Note that unless %GNUTLS_PUBKEY_DISABLE_CALLBACKS
1092 * is specified, if incorrect (or NULL) passwords are given
1093 * the PKCS11 callback functions will be used to obtain the
1094 * correct passwords. Otherwise if the SRK password is wrong
1095 * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned.
1096 *
1097 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1098 * negative error value.
1099 *
1100 * Since: 3.1.0
1101 *
1102 **/
1103 int
1104 gnutls_pubkey_import_tpm_url (gnutls_pubkey_t pkey,
1105 const char* url,
1106 const char *srk_password,
1107 unsigned int flags)
1108 {
1109 struct tpmkey_url_st durl;
1110 gnutls_datum_t fdata = { NULL, 0 };
1111 int ret;
1112
1113 ret = decode_tpmkey_url(url, &durl);
1114 if (ret < 0)
1115 return gnutls_assert_val(ret);
1116
1117 if (durl.filename)
1118 {
1119
1120 ret = gnutls_load_file(durl.filename, &fdata);
1121 if (ret < 0)
1122 {
1123 gnutls_assert();
1124 goto cleanup;
1125 }
1126
1127 ret = gnutls_pubkey_import_tpm_raw (pkey, &fdata, GNUTLS_TPMKEY_FMT_CTK_PEM,
1128 srk_password, flags);
1129 if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
1130 ret = gnutls_pubkey_import_tpm_raw (pkey, &fdata, GNUTLS_TPMKEY_FMT_DER,
1131 srk_password, flags);
1132 if (ret < 0)
1133 {
1134 gnutls_assert();
1135 goto cleanup;
1136 }
1137 }
1138 else if (durl.uuid_set)
1139 {
1140 if (flags & GNUTLS_PUBKEY_DISABLE_CALLBACKS)
1141 ret = import_tpm_pubkey (pkey, NULL, 0, &durl.uuid, durl.storage, srk_password);
1142 else
1143 ret = import_tpm_pubkey_cb (pkey, NULL, 0, &durl.uuid, durl.storage, srk_password);
1144 if (ret < 0)
1145 {
1146 gnutls_assert();
1147 goto cleanup;
1148 }
1149 }
1150
1151 ret = 0;
1152 cleanup:
1153 gnutls_free(fdata.data);
1154 clear_tpmkey_url(&durl);
1155 return ret;
1156 }
1157
1158
1159 /**
1160 * gnutls_tpm_privkey_generate:
1161 * @pk: the public key algorithm
1162 * @bits: the security bits
1163 * @srk_password: a password to protect the exported key (optional)
1164 * @key_password: the password for the TPM (optional)
1165 * @format: the format of the private key
1166 * @pub_format: the format of the public key
1167 * @privkey: the generated key
1168 * @pubkey: the corresponding public key (may be null)
1169 * @flags: should be a list of GNUTLS_TPM_* flags
1170 *
1171 * This function will generate a private key in the TPM
1172 * chip. The private key will be generated within the chip
1173 * and will be exported in a wrapped with TPM's master key
1174 * form. Furthermore the wrapped key can be protected with
1175 * the provided @password.
1176 *
1177 * Note that bits in TPM is quantized value. If the input value
1178 * is not one of the allowed values, then it will be quantized to
1179 * one of 512, 1024, 2048, 4096, 8192 and 16384.
1180 *
1181 * Allowed flags are:
1182 *
1183 * %GNUTLS_TPM_KEY_SIGNING: Generate a signing key instead of a legacy,
1184
1185 * %GNUTLS_TPM_REGISTER_KEY: Register the generate key in TPM. In that
1186 * case @privkey would contain a URL with the UUID.
1187 *
1188 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1189 * negative error value.
1190 *
1191 * Since: 3.1.0
1192 **/
1193 int
1194 gnutls_tpm_privkey_generate (gnutls_pk_algorithm_t pk, unsigned int bits,
1195 const char* srk_password,
1196 const char* key_password,
1197 gnutls_tpmkey_fmt_t format,
1198 gnutls_x509_crt_fmt_t pub_format,
1199 gnutls_datum_t* privkey,
1200 gnutls_datum_t* pubkey,
1201 unsigned int flags)
1202 {
1203 TSS_FLAG tpm_flags = TSS_KEY_VOLATILE;
1204 TSS_HKEY key_ctx;
1205 TSS_RESULT tssret;
1206 int ret;
1207 void* tdata;
1208 UINT32 tint;
1209 gnutls_datum_t tmpkey = {NULL, 0};
1210 TSS_HPOLICY key_policy;
1211 gnutls_pubkey_t pub;
1212 struct tpm_ctx_st s;
1213 TSS_FLAG storage_type;
1214 TSS_HTPM htpm;
1215 uint8_t buf[32];
1216
1217 if (flags & GNUTLS_TPM_KEY_SIGNING)
1218 tpm_flags |= TSS_KEY_TYPE_SIGNING;
1219 else
1220 tpm_flags |= TSS_KEY_TYPE_LEGACY;
1221
1222 if (flags & GNUTLS_TPM_KEY_USER)
1223 storage_type = TSS_PS_TYPE_USER;
1224 else
1225 storage_type = TSS_PS_TYPE_SYSTEM;
1226
1227 if (bits <= 512)
1228 tpm_flags |= TSS_KEY_SIZE_512;
1229 else if (bits <= 1024)
1230 tpm_flags |= TSS_KEY_SIZE_1024;
1231 else if (bits <= 2048)
1232 tpm_flags |= TSS_KEY_SIZE_2048;
1233 else if (bits <= 4096)
1234 tpm_flags |= TSS_KEY_SIZE_4096;
1235 else if (bits <= 8192)
1236 tpm_flags |= TSS_KEY_SIZE_8192;
1237 else
1238 tpm_flags |= TSS_KEY_SIZE_16384;
1239
1240 ret = tpm_open_session(&s, srk_password);
1241 if (ret < 0)
1242 return gnutls_assert_val(ret);
1243
1244 /* put some randomness into TPM.
1245 * Let's not trust it completely.
1246 */
1247 tssret = Tspi_Context_GetTpmObject(s.tpm_ctx, &htpm);
1248 if (tssret != 0)
1249 {
1250 gnutls_assert();
1251 ret = tss_err(tssret);
1252 goto err_cc;
1253 }
1254
1255
1256 ret = _gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
1257 if (ret < 0)
1258 {
1259 gnutls_assert();
1260 goto err_cc;
1261 }
1262
1263 tssret = Tspi_TPM_StirRandom(htpm, sizeof(buf), buf);
1264 if (tssret)
1265 {
1266 gnutls_assert();
1267 }
1268
1269 tssret = Tspi_Context_CreateObject(s.tpm_ctx, TSS_OBJECT_TYPE_RSAKEY, tpm_flags, &key_ctx);
1270 if (tssret != 0)
1271 {
1272 gnutls_assert();
1273 ret = tss_err(tssret);
1274 goto err_cc;
1275 }
1276
1277 tssret = Tspi_SetAttribUint32(key_ctx, TSS_TSPATTRIB_KEY_INFO, TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
1278 TSS_SS_RSASSAPKCS1V15_DER);
1279 if (tssret != 0)
1280 {
1281 gnutls_assert();
1282 ret = tss_err(tssret);
1283 goto err_sa;
1284 }
1285
1286 /* set the password of the actual key */
1287 if (key_password)
1288 {
1289 tssret = Tspi_GetPolicyObject(key_ctx, TSS_POLICY_USAGE, &key_policy);
1290 if (tssret != 0)
1291 {
1292 gnutls_assert();
1293 ret = tss_err(tssret);
1294 goto err_sa;
1295 }
1296
1297 tssret = myTspi_Policy_SetSecret(key_policy,
1298 SAFE_LEN(key_password), (void*)key_password);
1299 if (tssret != 0)
1300 {
1301 gnutls_assert();
1302 ret = tss_err(tssret);
1303 goto err_sa;
1304 }
1305 }
1306
1307 tssret = Tspi_Key_CreateKey(key_ctx, s.srk, 0);
1308 if (tssret != 0)
1309 {
1310 gnutls_assert();
1311 ret = tss_err(tssret);
1312 goto err_sa;
1313 }
1314
1315 if (flags & GNUTLS_TPM_REGISTER_KEY)
1316 {
1317 TSS_UUID key_uuid;
1318
1319 ret = randomize_uuid(&key_uuid);
1320 if (ret < 0)
1321 {
1322 gnutls_assert();
1323 goto err_sa;
1324 }
1325
1326 tssret = Tspi_Context_RegisterKey(s.tpm_ctx, key_ctx, storage_type,
1327 key_uuid, TSS_PS_TYPE_SYSTEM, srk_uuid);
1328 if (tssret != 0)
1329 {
1330 gnutls_assert();
1331 ret = tss_err(tssret);
1332 goto err_sa;
1333 }
1334
1335 ret = encode_tpmkey_url((char**)&privkey->data, &key_uuid, storage_type);
1336 if (ret < 0)
1337 {
1338 TSS_HKEY tkey;
1339
1340 Tspi_Context_UnregisterKey(s.tpm_ctx, storage_type, key_uuid, &tkey);
1341 gnutls_assert();
1342 goto err_sa;
1343 }
1344 privkey->size = strlen((char*)privkey->data);
1345
1346 }
1347 else /* get the key as blob */
1348 {
1349
1350 tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
1351 TSS_TSPATTRIB_KEYBLOB_BLOB, &tint, (void*)&tdata);
1352 if (tssret != 0)
1353 {
1354 gnutls_assert();
1355 ret = tss_err(tssret);
1356 goto err_sa;
1357 }
1358
1359
1360 if (format == GNUTLS_TPMKEY_FMT_CTK_PEM)
1361 {
1362 ret = _gnutls_x509_encode_octet_string(tdata, tint, &tmpkey);
1363 if (ret < 0)
1364 {
1365 gnutls_assert();
1366 goto cleanup;
1367 }
1368
1369 ret = _gnutls_fbase64_encode ("TSS KEY BLOB", tmpkey.data, tmpkey.size, privkey);
1370 if (ret < 0)
1371 {
1372 gnutls_assert();
1373 goto cleanup;
1374 }
1375 }
1376 else
1377 {
1378 UINT32 tint2;
1379
1380 tmpkey.size = tint + 32; /* spec says no more than 20 */
1381 tmpkey.data = gnutls_malloc(tmpkey.size);
1382 if (tmpkey.data == NULL)
1383 {
1384 gnutls_assert();
1385 ret = GNUTLS_E_MEMORY_ERROR;
1386 goto cleanup;
1387 }
1388
1389 tint2 = tmpkey.size;
1390 tssret = Tspi_EncodeDER_TssBlob(tint, tdata, TSS_BLOB_TYPE_PRIVATEKEY,
1391 &tint2, tmpkey.data);
1392 if (tssret != 0)
1393 {
1394 gnutls_assert();
1395 ret = tss_err(tssret);
1396 goto cleanup;
1397 }
1398
1399 tmpkey.size = tint2;
1400
1401 privkey->data = tmpkey.data;
1402 privkey->size = tmpkey.size;
1403 tmpkey.data = NULL;
1404 }
1405 }
1406
1407 /* read the public key */
1408 if (pubkey != NULL)
1409 {
1410 size_t psize;
1411
1412 ret = gnutls_pubkey_init(&pub);
1413 if (ret < 0)
1414 {
1415 gnutls_assert();
1416 goto privkey_cleanup;
1417 }
1418
1419 ret = read_pubkey(pub, key_ctx, &psize);
1420 if (ret < 0)
1421 {
1422 gnutls_assert();
1423 goto privkey_cleanup;
1424 }
1425 psize+=512;
1426
1427 pubkey->data = gnutls_malloc(psize);
1428 if (pubkey->data == NULL)
1429 {
1430 gnutls_assert();
1431 ret = GNUTLS_E_MEMORY_ERROR;
1432 goto pubkey_cleanup;
1433 }
1434
1435 ret = gnutls_pubkey_export(pub, pub_format, pubkey->data, &psize);
1436 if (ret < 0)
1437 {
1438 gnutls_assert();
1439 goto pubkey_cleanup;
1440 }
1441 pubkey->size = psize;
1442
1443 gnutls_pubkey_deinit(pub);
1444 }
1445
1446 ret = 0;
1447 goto cleanup;
1448
1449 pubkey_cleanup:
1450 gnutls_pubkey_deinit(pub);
1451 privkey_cleanup:
1452 gnutls_free(privkey->data);
1453 privkey->data = NULL;
1454 cleanup:
1455 gnutls_free(tmpkey.data);
1456 tmpkey.data = NULL;
1457 err_sa:
1458 Tspi_Context_CloseObject(s.tpm_ctx, key_ctx);
1459 err_cc:
1460 tpm_close_session(&s);
1461 return ret;
1462 }
1463
1464
1465 /**
1466 * gnutls_tpm_key_list_deinit:
1467 * @list: a list of the keys
1468 *
1469 * This function will deinitialize the list of stored keys in the TPM.
1470 *
1471 * Since: 3.1.0
1472 **/
1473 void
1474 gnutls_tpm_key_list_deinit (gnutls_tpm_key_list_t list)
1475 {
1476 if (list->tpm_ctx != 0) Tspi_Context_Close (list->tpm_ctx);
1477 gnutls_free(list);
1478 }
1479
1480 /**
1481 * gnutls_tpm_key_list_get_url:
1482 * @list: a list of the keys
1483 * @idx: The index of the key (starting from zero)
1484 * @url: The URL to be returned
1485 * @flags: should be zero
1486 *
1487 * This function will return for each given index a URL of
1488 * the corresponding key.
1489 * If the provided index is out of bounds then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1490 * is returned.
1491 *
1492 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1493 * negative error value.
1494 *
1495 * Since: 3.1.0
1496 **/
1497 int
1498 gnutls_tpm_key_list_get_url (gnutls_tpm_key_list_t list, unsigned int idx, char** url, unsigned int flags)
1499 {
1500 if (idx >= list->size)
1501 return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
1502
1503 return encode_tpmkey_url(url, &list->ki[idx].keyUUID, list->ki[idx].persistentStorageType);
1504 }
1505
1506 /**
1507 * gnutls_tpm_get_registered:
1508 * @list: a list to store the keys
1509 *
1510 * This function will get a list of stored keys in the TPM. The uuid
1511 * of those keys
1512 *
1513 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1514 * negative error value.
1515 *
1516 * Since: 3.1.0
1517 **/
1518 int
1519 gnutls_tpm_get_registered (gnutls_tpm_key_list_t *list)
1520 {
1521 TSS_RESULT tssret;
1522 int ret;
1523
1524 *list = gnutls_calloc(1, sizeof(struct tpm_key_list_st));
1525 if (*list == NULL)
1526 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1527
1528 tssret = Tspi_Context_Create (&(*list)->tpm_ctx);
1529 if (tssret)
1530 {
1531 gnutls_assert ();
1532 ret = tss_err(tssret);
1533 goto cleanup;
1534 }
1535
1536 tssret = Tspi_Context_Connect ((*list)->tpm_ctx, NULL);
1537 if (tssret)
1538 {
1539 gnutls_assert ();
1540 ret = tss_err(tssret);
1541 goto cleanup;
1542 }
1543
1544 tssret =
1545 Tspi_Context_GetRegisteredKeysByUUID2((*list)->tpm_ctx, TSS_PS_TYPE_SYSTEM,
1546 NULL, &(*list)->size, &(*list)->ki);
1547 if (tssret)
1548 {
1549 gnutls_assert ();
1550 ret = tss_err(tssret);
1551 goto cleanup;
1552 }
1553 return 0;
1554
1555 cleanup:
1556 gnutls_tpm_key_list_deinit(*list);
1557
1558 return ret;
1559 }
1560
1561 /**
1562 * gnutls_tpm_privkey_delete:
1563 * @url: the URL describing the key
1564 * @srk_password: a password for the SRK key
1565 *
1566 * This function will unregister the private key from the TPM
1567 * chip.
1568 *
1569 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1570 * negative error value.
1571 *
1572 * Since: 3.1.0
1573 **/
1574 int
1575 gnutls_tpm_privkey_delete (const char* url, const char* srk_password)
1576 {
1577 struct tpm_ctx_st s;
1578 struct tpmkey_url_st durl;
1579 TSS_RESULT tssret;
1580 TSS_HKEY tkey;
1581 int ret;
1582
1583 ret = decode_tpmkey_url(url, &durl);
1584 if (ret < 0)
1585 return gnutls_assert_val(ret);
1586
1587 if (durl.uuid_set == 0)
1588 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1589
1590 ret = tpm_open_session(&s, srk_password);
1591 if (ret < 0)
1592 return gnutls_assert_val(ret);
1593
1594 tssret = Tspi_Context_UnregisterKey(s.tpm_ctx, durl.storage, durl.uuid, &tkey);
1595 if (tssret != 0)
1596 {
1597 gnutls_assert();
1598 ret = tss_err(tssret);
1599 goto err_cc;
1600 }
1601
1602 ret = 0;
1603 err_cc:
1604 tpm_close_session(&s);
1605 return ret;
1606 }
Implementation of the SSL/TLS protocol