1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
// This file was extracted from the TCG Published
// Trusted Platform Module Library
// Part 3: Commands
// Family "2.0"
// Level 00 Revision 01.16
// October 30, 2014
#include "InternalRoutines.h"
#include "Attest_spt_fp.h"
#include "CertifyCreation_fp.h"
//
//
// Error Returns Meaning
//
// TPM_RC_KEY key referenced by signHandle is not a signing key
// TPM_RC_SCHEME inScheme is not compatible with signHandle
// TPM_RC_TICKET creationTicket does not match objectHandle
// TPM_RC_VALUE digest generated for inScheme is greater or has larger size than the
// modulus of signHandle, or the buffer for the result in signature is too
// small (for an RSA key); invalid commit status (for an ECC key with a
// split scheme).
//
TPM_RC
TPM2_CertifyCreation(
CertifyCreation_In *in, // IN: input parameter list
CertifyCreation_Out *out // OUT: output parameter list
)
{
TPM_RC result;
TPM2B_NAME name;
TPMT_TK_CREATION ticket;
TPMS_ATTEST certifyInfo;
// Input Validation
// CertifyCreation specific input validation
// Get certified object name
name.t.size = ObjectGetName(in->objectHandle, &name.t.name);
// Re-compute ticket
TicketComputeCreation(in->creationTicket.hierarchy, &name,
&in->creationHash, &ticket);
// Compare ticket
if(!Memory2BEqual(&ticket.digest.b, &in->creationTicket.digest.b))
return TPM_RC_TICKET + RC_CertifyCreation_creationTicket;
// Command Output
// Common fields
result = FillInAttestInfo(in->signHandle, &in->inScheme, &in->qualifyingData,
&certifyInfo);
if(result != TPM_RC_SUCCESS)
{
if(result == TPM_RC_KEY)
return TPM_RC_KEY + RC_CertifyCreation_signHandle;
else
return RcSafeAddToResult(result, RC_CertifyCreation_inScheme);
}
// CertifyCreation specific fields
// Attestation type
certifyInfo.type = TPM_ST_ATTEST_CREATION;
certifyInfo.attested.creation.objectName = name;
// Copy the creationHash
certifyInfo.attested.creation.creationHash = in->creationHash;
// Sign attestation structure. A NULL signature will be returned if
// signHandle is TPM_RH_NULL. A TPM_RC_NV_UNAVAILABLE, TPM_RC_NV_RATE,
// TPM_RC_VALUE, TPM_RC_SCHEME or TPM_RC_ATTRIBUTES error may be returned at
// this point
result = SignAttestInfo(in->signHandle,
&in->inScheme,
&certifyInfo,
&in->qualifyingData,
&out->certifyInfo,
&out->signature);
// TPM_RC_ATTRIBUTES cannot be returned here as FillInAttestInfo would already
// have returned TPM_RC_KEY
pAssert(result != TPM_RC_ATTRIBUTES);
if(result != TPM_RC_SUCCESS)
return result;
// orderly state should be cleared because of the reporting of clock info
// if signing happens
if(in->signHandle != TPM_RH_NULL)
g_clearOrderly = TRUE;
return TPM_RC_SUCCESS;
}
|
