Merge pull request #77 from dgarske/changeauth

Added wrapper for changing a key's authentication
wolfSSL · Aug 15, 2019 · b26a955 · b26a955
2 parents 27eea15 + 78be509
commit b26a955
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 0 deletions.
diff --git a/examples/tpm_test.h b/examples/tpm_test.h
@@ -40,6 +40,7 @@
 
 static const char gStorageKeyAuth[] = "ThisIsMyStorageKeyAuth";
 static const char gKeyAuth[] =        "ThisIsMyKeyAuth";
+static const char gKeyAuthAlt[] =     "ThisIsMyKeyAltAuth";
 static const char gUsageAuth[] =      "ThisIsASecretUsageAuth";
 
 #ifndef WOLFTPM_ST33

diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c
@@ -353,6 +353,11 @@ int TPM2_Wrapper_Test(void* userCtx)
         &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
     if (rc != 0) goto exit;
 
+    /* Test changing auth for a key */
+    rc = wolfTPM2_ChangeAuthKey(&dev, &eccKey, &storageKey.handle,
+        (byte*)gKeyAuthAlt, sizeof(gKeyAuthAlt)-1);
+    if (rc != 0) goto exit;
+
     /* Perform sign / verify */
     message.size = TPM_SHA256_DIGEST_SIZE; /* test message 0x11,0x11,etc */
     XMEMSET(message.buffer, 0x11, message.size);

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -512,6 +512,69 @@ int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     return rc;
 }
 
+int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const byte* auth, int authSz)
+{
+    int rc;
+    ObjectChangeAuth_In changeIn;
+    ObjectChangeAuth_Out changeOut;
+    Load_In  loadIn;
+    Load_Out loadOut;
+
+    if (dev == NULL || key == NULL || parent == NULL)
+        return BAD_FUNC_ARG;
+
+    /* set session auth for key */
+    dev->session[0].auth = key->handle.auth;
+
+    XMEMSET(&changeIn, 0, sizeof(changeIn));
+    changeIn.objectHandle = key->handle.hndl;
+    changeIn.parentHandle = parent->hndl;
+    if (auth) {
+        if (authSz > (int)sizeof(changeIn.newAuth.buffer))
+            authSz = (int)sizeof(changeIn.newAuth.buffer);
+        changeIn.newAuth.size = authSz;
+        XMEMCPY(changeIn.newAuth.buffer, auth, changeIn.newAuth.size);
+    }
+
+    rc = TPM2_ObjectChangeAuth(&changeIn, &changeOut);
+    if (rc != TPM_RC_SUCCESS) {
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2_ObjectChangeAuth failed %d: %s\n", rc,
+                wolfTPM2_GetRCString(rc));
+    #endif
+        return rc;
+    }
+
+    /* unload old key */
+    wolfTPM2_UnloadHandle(dev, &key->handle);
+
+    /* set session auth for parent key */
+    dev->session[0].auth = parent->auth;
+
+    /* Load new key */
+    XMEMSET(&loadIn, 0, sizeof(loadIn));
+    loadIn.parentHandle = parent->hndl;
+    loadIn.inPrivate = changeOut.outPrivate;
+    loadIn.inPublic = key->pub;
+    rc = TPM2_Load(&loadIn, &loadOut);
+    if (rc != TPM_RC_SUCCESS) {
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2_Load key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
+    #endif
+        return rc;
+    }
+    key->handle.dev  = dev;
+    key->handle.hndl = loadOut.objectHandle;
+    key->handle.auth = changeIn.newAuth;
+
+#ifdef DEBUG_WOLFTPM
+    printf("wolfTPM2_ChangeAuthKey: Key Handle 0x%x\n", (word32)key->handle.hndl);
+#endif
+
+    return rc;
+}
+
 int wolfTPM2_CreateAndLoadKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     WOLFTPM2_HANDLE* parent, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz)

diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -119,6 +119,8 @@ WOLFTPM_API int wolfTPM2_StartSession(WOLFTPM2_DEV* dev,
 WOLFTPM_API int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev,
     WOLFTPM2_KEY* key, TPM_HANDLE primaryHandle, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz);
+WOLFTPM_API int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const byte* auth, int authSz);
 WOLFTPM_API int wolfTPM2_CreateAndLoadKey(WOLFTPM2_DEV* dev,
     WOLFTPM2_KEY* key, WOLFTPM2_HANDLE* parent, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz);