1 /********************************************************************************/
2 /* */
3 /* PolicySecret */
4 /* Written by Ken Goldman */
5 /* IBM Thomas J. Watson Research Center */
6 /* */
7 /* (c) Copyright IBM Corporation 2015 - 2019. */
8 /* */
9 /* All rights reserved. */
10 /* */
11 /* Redistribution and use in source and binary forms, with or without */
12 /* modification, are permitted provided that the following conditions are */
13 /* met: */
14 /* */
15 /* Redistributions of source code must retain the above copyright notice, */
16 /* this list of conditions and the following disclaimer. */
17 /* */
18 /* Redistributions in binary form must reproduce the above copyright */
19 /* notice, this list of conditions and the following disclaimer in the */
20 /* documentation and/or other materials provided with the distribution. */
21 /* */
22 /* Neither the names of the IBM Corporation nor the names of its */
23 /* contributors may be used to endorse or promote products derived from */
24 /* this software without specific prior written permission. */
25 /* */
26 /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */
27 /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */
28 /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */
29 /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */
30 /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */
31 /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */
32 /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */
33 /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */
34 /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */
35 /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */
36 /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
37 /********************************************************************************/
38
39 /*
40
41 */
42
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <stdint.h>
47
48 #include <ibmtss/tss.h>
49 #include <ibmtss/tssutils.h>
50 #include <ibmtss/tssresponsecode.h>
51 #include <ibmtss/tssmarshal.h>
52
53 static void printUsage(void);
54
55 extern int tssUtilsVerbose;
56
main(int argc,char * argv[])57 int main(int argc, char *argv[])
58 {
59 TPM_RC rc = 0;
60 int i; /* argc iterator */
61 TSS_CONTEXT *tssContext = NULL;
62 PolicySecret_In in;
63 PolicySecret_Out out;
64 TPMI_DH_ENTITY authHandle = 0;
65 TPMI_SH_POLICY policySession = 0;
66 const char *nonceTPMFilename = NULL;
67 const char *cpHashAFilename = NULL;
68 const char *policyRefFilename = NULL;
69 int32_t expiration = 0;
70 const char *ticketFilename = NULL;
71 const char *timeoutFilename = NULL;
72 const char *entityPassword = NULL;
73 TPMI_SH_AUTH_SESSION sessionHandle0 = TPM_RS_PW;
74 unsigned int sessionAttributes0 = 0;
75 TPMI_SH_AUTH_SESSION sessionHandle1 = TPM_RH_NULL;
76 unsigned int sessionAttributes1 = 0;
77 TPMI_SH_AUTH_SESSION sessionHandle2 = TPM_RH_NULL;
78 unsigned int sessionAttributes2 = 0;
79
80 setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */
81 TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
82 tssUtilsVerbose = FALSE;
83
84 /* command line argument defaults */
85
86 in.nonceTPM.b.size = 0;
87 in.cpHashA.b.size = 0;
88 in.policyRef.b.size = 0;
89
90 for (i=1 ; (i<argc) && (rc == 0) ; i++) {
91 if (strcmp(argv[i],"-ha") == 0) {
92 i++;
93 if (i < argc) {
94 sscanf(argv[i],"%x", &authHandle);
95 }
96 else {
97 printf("Missing parameter for -ha\n");
98 printUsage();
99 }
100 }
101 else if (strcmp(argv[i],"-hs") == 0) {
102 i++;
103 if (i < argc) {
104 sscanf(argv[i],"%x", &policySession);
105 }
106 else {
107 printf("Missing parameter for -hs\n");
108 printUsage();
109 }
110 }
111 else if (strcmp(argv[i],"-in") == 0) {
112 i++;
113 if (i < argc) {
114 nonceTPMFilename = argv[i];
115 }
116 else {
117 printf("-in option needs a value\n");
118 printUsage();
119 }
120 }
121 else if (strcmp(argv[i],"-cp") == 0) {
122 i++;
123 if (i < argc) {
124 cpHashAFilename = argv[i];
125 }
126 else {
127 printf("-cp option needs a value\n");
128 printUsage();
129 }
130 }
131 else if (strcmp(argv[i],"-pref") == 0) {
132 i++;
133 if (i < argc) {
134 policyRefFilename = argv[i];
135 }
136 else {
137 printf("-pref option needs a value\n");
138 printUsage();
139 }
140 }
141 else if (strcmp(argv[i],"-exp") == 0) {
142 i++;
143 if (i < argc) {
144 expiration = atoi(argv[i]);
145 }
146 else {
147 printf("Missing parameter for -exp\n");
148 printUsage();
149 }
150 }
151 else if (strcmp(argv[i],"-pwde") == 0) {
152 i++;
153 if (i < argc) {
154 entityPassword = argv[i];
155 }
156 else {
157 printf("-pwda option needs a value\n");
158 printUsage();
159 }
160 }
161 else if (strcmp(argv[i],"-tk") == 0) {
162 i++;
163 if (i < argc) {
164 ticketFilename = argv[i];
165 }
166 else {
167 printf("-tk option needs a value\n");
168 printUsage();
169 }
170 }
171 else if (strcmp(argv[i],"-to") == 0) {
172 i++;
173 if (i < argc) {
174 timeoutFilename = argv[i];
175 }
176 else {
177 printf("-to option needs a value\n");
178 printUsage();
179 }
180 }
181 else if (strcmp(argv[i],"-se0") == 0) {
182 i++;
183 if (i < argc) {
184 sscanf(argv[i],"%x", &sessionHandle0);
185 }
186 else {
187 printf("Missing parameter for -se0\n");
188 printUsage();
189 }
190 i++;
191 if (i < argc) {
192 sscanf(argv[i],"%x", &sessionAttributes0);
193 if (sessionAttributes0 > 0xff) {
194 printf("Out of range session attributes for -se0\n");
195 printUsage();
196 }
197 }
198 else {
199 printf("Missing parameter for -se0\n");
200 printUsage();
201 }
202 }
203 else if (strcmp(argv[i],"-se1") == 0) {
204 i++;
205 if (i < argc) {
206 sscanf(argv[i],"%x", &sessionHandle1);
207 }
208 else {
209 printf("Missing parameter for -se1\n");
210 printUsage();
211 }
212 i++;
213 if (i < argc) {
214 sscanf(argv[i],"%x", &sessionAttributes1);
215 if (sessionAttributes1 > 0xff) {
216 printf("Out of range session attributes for -se1\n");
217 printUsage();
218 }
219 }
220 else {
221 printf("Missing parameter for -se1\n");
222 printUsage();
223 }
224 }
225 else if (strcmp(argv[i],"-se2") == 0) {
226 i++;
227 if (i < argc) {
228 sscanf(argv[i],"%x", &sessionHandle2);
229 }
230 else {
231 printf("Missing parameter for -se2\n");
232 printUsage();
233 }
234 i++;
235 if (i < argc) {
236 sscanf(argv[i],"%x", &sessionAttributes2);
237 if (sessionAttributes2 > 0xff) {
238 printf("Out of range session attributes for -se2\n");
239 printUsage();
240 }
241 }
242 else {
243 printf("Missing parameter for -se2\n");
244 printUsage();
245 }
246 }
247 else if (strcmp(argv[i],"-h") == 0) {
248 printUsage();
249 }
250 else if (strcmp(argv[i],"-v") == 0) {
251 tssUtilsVerbose = TRUE;
252 TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
253 }
254 else {
255 printf("\n%s is not a valid option\n", argv[i]);
256 printUsage();
257 }
258 }
259 if (authHandle == 0) {
260 printf("Missing authorizing entity handle parameter -hs\n");
261 printUsage();
262 }
263 if (policySession == 0) {
264 printf("Missing policy session handle parameter -hs\n");
265 printUsage();
266 }
267 if (rc == 0) {
268 in.authHandle = authHandle;
269 in.policySession = policySession;
270 }
271 if ((rc == 0) && (nonceTPMFilename != NULL)) {
272 rc = TSS_File_Read2B(&in.nonceTPM.b,
273 sizeof(in.nonceTPM.t.buffer),
274 nonceTPMFilename);
275 }
276 if ((rc == 0) && (cpHashAFilename != NULL)) {
277 rc = TSS_File_Read2B(&in.cpHashA.b,
278 sizeof(in.cpHashA.t.buffer),
279 cpHashAFilename);
280 }
281 if ((rc == 0) && (policyRefFilename != NULL)) {
282 rc = TSS_File_Read2B(&in.policyRef.b,
283 sizeof(in.policyRef.t.buffer),
284 policyRefFilename);
285 }
286 if (rc == 0) {
287 in.expiration = expiration;
288 }
289 /* Start a TSS context */
290 if (rc == 0) {
291 rc = TSS_Create(&tssContext);
292 }
293 /* call TSS to execute the command */
294 if (rc == 0) {
295 rc = TSS_Execute(tssContext,
296 (RESPONSE_PARAMETERS *)&out,
297 (COMMAND_PARAMETERS *)&in,
298 NULL,
299 TPM_CC_PolicySecret,
300 sessionHandle0, entityPassword, sessionAttributes0,
301 sessionHandle1, NULL, sessionAttributes1,
302 sessionHandle2, NULL, sessionAttributes2,
303 TPM_RH_NULL, NULL, 0);
304 }
305 {
306 TPM_RC rc1 = TSS_Delete(tssContext);
307 if (rc == 0) {
308 rc = rc1;
309 }
310 }
311 if ((rc == 0) && (ticketFilename != NULL)) {
312 rc = TSS_File_WriteStructure(&out.policyTicket,
313 (MarshalFunction_t)TSS_TPMT_TK_AUTH_Marshalu,
314 ticketFilename);
315 }
316 if ((rc == 0) && (timeoutFilename != NULL)) {
317 rc = TSS_File_WriteBinaryFile(out.timeout.b.buffer,
318 out.timeout.b.size,
319 timeoutFilename);
320 }
321 if (rc == 0) {
322 if (tssUtilsVerbose) printf("policysecret: success\n");
323 }
324 else {
325 const char *msg;
326 const char *submsg;
327 const char *num;
328 printf("policysecret: failed, rc %08x\n", rc);
329 TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
330 printf("%s%s%s\n", msg, submsg, num);
331 rc = EXIT_FAILURE;
332 }
333 return rc;
334 }
335
printUsage(void)336 static void printUsage(void)
337 {
338 printf("\n");
339 printf("policysecret\n");
340 printf("\n");
341 printf("Runs TPM2_PolicySecret\n");
342 printf("\n");
343 printf("\t-ha\tauthorizing entity handle\n");
344 printf("\t-hs\tpolicy session handle\n");
345 printf("\t[-in\tnonceTPM file (default none)]\n");
346 printf("\t[-cp\tcpHash file (default none)]\n");
347 printf("\t[-pref\tpolicyRef file (default none)]\n");
348 printf("\t[-exp\texpiration (default none)]\n");
349 printf("\t[-pwde\tauthorizing entity password (default empty)]\n");
350 printf("\t[-tk\tticket file name]\n");
351 printf("\t[-to\ttimeout file name]\n");
352 printf("\n");
353 printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
354 printf("\t01\tcontinue\n");
355 printf("\t20\tcommand decrypt\n");
356 printf("\t40\tresponse encrypt\n");
357 exit(1);
358 }
359