|
|
@@ -0,0 +1,43 @@ |
|
|
#!/bin/bash |
|
|
|
|
|
set -eufx |
|
|
|
|
|
export OPENSSL_ENGINES=${PWD}/.libs |
|
|
export LD_LIBRARY_PATH=$OPENSSL_ENGINES:${LD_LIBRARY_PATH-} |
|
|
export PATH=${PWD}:${PATH} |
|
|
|
|
|
DIR=$(mktemp -d) |
|
|
TPM_RSA_PUBKEY=${DIR}/rsakey.pub |
|
|
TPM_RSA_KEY=${DIR}/rsakey |
|
|
PARENT_CTX=${DIR}/primary_owner_key.ctx |
|
|
|
|
|
echo -n "abcde12345abcde12345">${DIR}/mydata |
|
|
|
|
|
tpm2_startup -c || true |
|
|
|
|
|
# Create primary key as persistent handle |
|
|
tpm2_createprimary -a o -g sha256 -G rsa -o ${PARENT_CTX} |
|
|
tpm2_flushcontext -t |
|
|
HANDLE=$(tpm2_evictcontrol -a o -c ${PARENT_CTX} | cut -d ' ' -f 2) |
|
|
tpm2_flushcontext -t |
|
|
|
|
|
# Create an RSA key pair |
|
|
echo "Generating RSA key pair" |
|
|
tpm2_create -p abc -C ${HANDLE} -g sha256 -G rsa -u ${TPM_RSA_PUBKEY} -r ${TPM_RSA_KEY} -A sign\|decrypt\|fixedtpm\|fixedparent\|sensitivedataorigin\|userwithauth\|noda |
|
|
tpm2_flushcontext -t |
|
|
|
|
|
tpm2tss-genkey -i ${TPM_RSA_PUBKEY} -k ${TPM_RSA_KEY} -p abc -P ${HANDLE} ${DIR}/mykey |
|
|
|
|
|
echo "abc" | openssl rsa -engine tpm2tss -inform engine -in ${DIR}/mykey -pubout -outform pem -out ${DIR}/mykey.pub -passin stdin |
|
|
|
|
|
echo "abc" | openssl pkeyutl -engine tpm2tss -keyform engine -inkey ${DIR}/mykey -sign -in ${DIR}/mydata -out ${DIR}/mysig -passin stdin |
|
|
|
|
|
# Release persistent HANDLE |
|
|
tpm2_evictcontrol -a o -c ${HANDLE} -p ${HANDLE} |
|
|
|
|
|
#this is a workaround because -verify allways exits 1 |
|
|
R="$(openssl pkeyutl -pubin -inkey ${DIR}/mykey.pub -verify -in ${DIR}/mydata -sigfile ${DIR}/mysig || true)" |
|
|
if ! echo $R | grep "Signature Verified Successfully" >/dev/null; then |
|
|
echo $R |
|
|
exit 1 |
|
|
fi |