9 changes: 9 additions & 0 deletions man/tpm2_sign.1.md
View file
Expand Up @@ -46,6 +46,15 @@ data and validation shall indicate that hashed data did not start with

The message file, containing the content to be digested.

* **-D**, **--digest**=_DIGEST\_FILE_:

The digest file that shall be computed using the correct hash
algorithm. When this option is specified, a warning is generated and
**both the message file (-m) and the validation ticket (-t) are
ignored**.
You cannot use this option to sign a digest against a restricted
signing key.

* **-t**, **--ticket**=_TICKET\_FILE_:

The ticket file, containning the validation structure, optional.
Expand Down
29 changes: 27 additions & 2 deletions test/system/tests/sign.sh
View file
Expand Up @@ -37,8 +37,10 @@ file_signing_key_priv=oprB1_B8
file_signing_key_ctx=context_load_out_B1_B8
file_signing_key_name=name.load.B1_B8
file_input_data=secret.data
file_input_digest=secret.digest
file_output_data=sig.4

file_output_ticket=secret.ticket
file_output_hash=secret.hash

handle_signing_key=0x81010005

Expand All @@ -55,7 +57,8 @@ trap onerror ERR
cleanup() {
rm -f $file_input_data $file_primary_key_ctx $file_signing_key_pub \
$file_signing_key_priv $file_signing_key_ctx $file_signing_key_name \
$file_output_data
$file_output_data $file_input_digest $file_output_ticket \
$file_output_hash

tpm2_evictcontrol -Q -Ao -H $handle_signing_key 2>/dev/null || true
}
Expand All @@ -81,4 +84,26 @@ tpm2_evictcontrol -Q -A o -c $file_signing_key_ctx -S $handle_signing_key

tpm2_sign -Q -k $handle_signing_key -g $alg_hash -m $file_input_data -s $file_output_data

rm -f $file_output_data

# generate hash and test validation

tpm2_hash -Q -H e -g $alg_hash -o $file_output_hash -t $file_output_ticket $file_input_data

tpm2_sign -Q -k $handle_signing_key -g $alg_hash -s $file_output_data -m $file_input_data -t $file_output_ticket

rm -f $file_output_data

# test with digest, no validation

sha256sum $file_input_data | awk '{ print "000000 " $1 }' | xxd -r -c 32 > $file_input_digest

tpm2_sign -Q -k $handle_signing_key -g $alg_hash -D $file_input_digest -s $file_output_data

rm -f $file_output_data

# test with digest + message/validation (warning generated)

tpm2_sign -Q -k $handle_signing_key -g $alg_hash -D $file_input_digest -s $file_output_data -m $file_input_data -t $file_output_ticket |& grep -q ^WARN

exit 0
6 changes: 3 additions & 3 deletions tools/tpm2_certify.c
View file
Expand Up @@ -240,7 +240,7 @@ static bool on_option(char key, char *value) {
if (files_does_file_exist(value)) {
return false;
}
ctx.file_path.sig = optarg;
ctx.file_path.sig = value;
ctx.flags.s = 1;
break;
case 'c':
Expand All @@ -256,12 +256,12 @@ static bool on_option(char key, char *value) {
LOG_ERR("Multiple specifications of -C");
return false;
}
ctx.context_file = optarg;
ctx.context_file = value;
ctx.flags.C = 1;
break;
case 'f':
ctx.flags.f = 1;
ctx.sig_fmt = tpm2_parse_signature_format(optarg);
ctx.sig_fmt = tpm2_parse_signature_format(value);

if (ctx.sig_fmt == signature_format_err) {
return false;
Expand Down
12 changes: 6 additions & 6 deletions tools/tpm2_changeauth.c
View file
Expand Up @@ -107,42 +107,42 @@ static bool on_option(char key, char *value) {
case 'o':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.owner.new);
if (!result) {
LOG_ERR("Invalid new owner password, got\"%s\"", optarg);
LOG_ERR("Invalid new owner password, got\"%s\"", value);
return false;
}
break;
case 'e':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.new);
if (!result) {
LOG_ERR("Invalid new endorse password, got\"%s\"", optarg);
LOG_ERR("Invalid new endorse password, got\"%s\"", value);
return false;
}
break;
case 'l':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.new);
if (!result) {
LOG_ERR("Invalid new lockout password, got\"%s\"", optarg);
LOG_ERR("Invalid new lockout password, got\"%s\"", value);
return false;
}
break;
case 'O':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.owner.old);
if (!result) {
LOG_ERR("Invalid current owner password, got\"%s\"", optarg);
LOG_ERR("Invalid current owner password, got\"%s\"", value);
return false;
}
break;
case 'E':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.endorse.old);
if (!result) {
LOG_ERR("Invalid current endorse password, got\"%s\"", optarg);
LOG_ERR("Invalid current endorse password, got\"%s\"", value);
return false;
}
break;
case 'L':
result = tpm2_password_util_from_optarg(value, &ctx.passwords.lockout.old);
if (!result) {
LOG_ERR("Invalid current lockout password, got\"%s\"", optarg);
LOG_ERR("Invalid current lockout password, got\"%s\"", value);
return false;
}
break;
Expand Down
6 changes: 3 additions & 3 deletions tools/tpm2_getmanufec.c
View file
Expand Up @@ -443,21 +443,21 @@ static bool on_option(char key, char *value) {
case 'e':
return_val = tpm2_password_util_from_optarg(value, &ctx.endorse_session_data.hmac);
if (!return_val) {
LOG_ERR("Invalid endorsement password, got\"%s\"", optarg);
LOG_ERR("Invalid endorsement password, got\"%s\"", value);
return false;
}
break;
case 'o':
return_val = tpm2_password_util_from_optarg(value, &ctx.owner_session_data.hmac);
if (!return_val) {
LOG_ERR("Invalid owner password, got\"%s\"", optarg);
LOG_ERR("Invalid owner password, got\"%s\"", value);
return false;
}
break;
case 'P':
return_val = tpm2_password_util_from_optarg(value, &ctx.ek_password);
if (!return_val) {
LOG_ERR("Invalid EK password, got\"%s\"", optarg);
LOG_ERR("Invalid EK password, got\"%s\"", value);
return false;
}
break;
Expand Down
4 changes: 2 additions & 2 deletions tools/tpm2_load.c
View file
Expand Up @@ -116,7 +116,7 @@ static bool on_option(char key, char *value) {

switch(key) {
case 'H':
if (!tpm2_util_string_to_uint32(optarg, &ctx.parent_handle)) {
if (!tpm2_util_string_to_uint32(value, &ctx.parent_handle)) {
return false;
}
ctx.flags.H = 1;
Expand All @@ -129,7 +129,7 @@ static bool on_option(char key, char *value) {
}
break;
case 'u':
if(!files_load_public(optarg, &ctx.in_public)) {
if(!files_load_public(value, &ctx.in_public)) {
return false;;
}
ctx.flags.u = 1;
Expand Down
2 changes: 1 addition & 1 deletion tools/tpm2_loadexternal.c
View file
Expand Up @@ -121,7 +121,7 @@ static bool on_option(char key, char *value) {
ctx.flags.H = 1;
break;
case 'u':
if(!files_load_public(optarg, &ctx.public_key)) {
if(!files_load_public(value, &ctx.public_key)) {
return false;;
}
ctx.flags.u = 1;
Expand Down
2 changes: 1 addition & 1 deletion tools/tpm2_makecredential.c
View file
Expand Up @@ -178,7 +178,7 @@ static bool on_option(char key, char *value) {
ctx.flags.n = 1;
} break;
case 'o':
ctx.out_file_path = optarg;
ctx.out_file_path = value;
ctx.flags.o = 1;
break;
}
Expand Down
4 changes: 2 additions & 2 deletions tools/tpm2_nvdefine.c
View file
Expand Up @@ -170,10 +170,10 @@ static bool on_option(char key, char *value) {
}
break;
case 'L':
ctx.policy_file = optarg;
ctx.policy_file = value;
break;
case 'S':
if (!tpm2_util_string_to_uint32(optarg, &ctx.session_data.sessionHandle)) {
if (!tpm2_util_string_to_uint32(value, &ctx.session_data.sessionHandle)) {
LOG_ERR("Could not convert session handle to number, got: \"%s\"",
value);
return false;
Expand Down
14 changes: 7 additions & 7 deletions tools/tpm2_nvread.c
View file
Expand Up @@ -172,7 +172,7 @@ static bool on_option(char key, char *value) {
result = tpm2_util_string_to_uint32(value, &ctx.nv_index);
if (!result) {
LOG_ERR("Could not convert NV index to number, got: \"%s\"",
optarg);
value);
return false;
}

Expand All @@ -185,7 +185,7 @@ static bool on_option(char key, char *value) {
result = tpm2_util_string_to_uint32(value, &ctx.auth_handle);
if (!result) {
LOG_ERR("Could not convert auth handle to number, got: \"%s\"",
optarg);
value);
return false;
}

Expand All @@ -200,30 +200,30 @@ static bool on_option(char key, char *value) {
case 'P':
result = tpm2_password_util_from_optarg(value, &ctx.session_data.hmac);
if (!result) {
LOG_ERR("Invalid handle password, got\"%s\"", optarg);
LOG_ERR("Invalid handle password, got\"%s\"", value);
return false;
}
break;
case 's':
result = tpm2_util_string_to_uint32(value, &ctx.size_to_read);
if (!result) {
LOG_ERR("Could not convert size to number, got: \"%s\"",
optarg);
value);
return false;
}
break;
case 'o':
result = tpm2_util_string_to_uint32(value, &ctx.offset);
if (!result) {
LOG_ERR("Could not convert offset to number, got: \"%s\"",
optarg);
value);
return false;
}
break;
case 'S':
if (!tpm2_util_string_to_uint32(value, &ctx.session_data.sessionHandle)) {
LOG_ERR("Could not convert session handle to number, got: \"%s\"",
optarg);
value);
return false;
}
break;
Expand All @@ -234,7 +234,7 @@ static bool on_option(char key, char *value) {
ctx.flags.L = 1;
break;
case 'F':
ctx.raw_pcrs_file = optarg;
ctx.raw_pcrs_file = value;
break;
/* no default */
}
Expand Down
2 changes: 1 addition & 1 deletion tools/tpm2_nvwrite.c
View file
Expand Up @@ -201,7 +201,7 @@ static bool on_option(char key, char *value) {
ctx.flags.L = 1;
break;
case 'F':
ctx.raw_pcrs_file = optarg;
ctx.raw_pcrs_file = value;
break;
}

Expand Down
4 changes: 2 additions & 2 deletions tools/tpm2_pcrevent.c
View file
Expand Up @@ -306,7 +306,7 @@ static bool on_option(char key, char *value) {
if (!result) {
LOG_ERR(
"Could not convert session handle to number, got: \"%s\"",
optarg);
value);
return false;
}
}
Expand All @@ -316,7 +316,7 @@ static bool on_option(char key, char *value) {
bool result = tpm2_password_util_from_optarg(value,
&ctx.session_data.hmac);
if (!result) {
LOG_ERR("Invalid key handle password, got\"%s\"", optarg);
LOG_ERR("Invalid key handle password, got\"%s\"", value);
return false;
}
}
Expand Down
16 changes: 8 additions & 8 deletions tools/tpm2_quote.c
View file
Expand Up @@ -142,7 +142,7 @@ static bool on_option(char key, char *value) {
k_flag = 1;
break;
case 'c':
contextFilePath = optarg;
contextFilePath = value;
c_flag = 1;
break;

Expand All @@ -162,7 +162,7 @@ static bool on_option(char key, char *value) {
l_flag = 1;
break;
case 'g':
pcrSelections.pcrSelections[0].hash = tpm2_alg_util_from_optarg(optarg);
pcrSelections.pcrSelections[0].hash = tpm2_alg_util_from_optarg(value);
if (pcrSelections.pcrSelections[0].hash == TPM2_ALG_ERROR)
{
LOG_ERR("Could not convert pcr hash selection, got: \"%s\"", value);
Expand All @@ -180,7 +180,7 @@ static bool on_option(char key, char *value) {
L_flag = 1;
break;
case 'o':
outFilePath = optarg;
outFilePath = value;
o_flag = 1;
break;
case 'q':
Expand All @@ -194,26 +194,26 @@ static bool on_option(char key, char *value) {
case 'S':
if (!tpm2_util_string_to_uint32(value, &auth_session_handle)) {
LOG_ERR("Could not convert session handle to number, got: \"%s\"",
optarg);
value);
return false;
}
is_auth_session = true;
break;
case 's':
signature_path = optarg;
signature_path = value;
break;
case 'm':
message_path = optarg;
message_path = value;
break;
case 'f':
sig_format = tpm2_parse_signature_format(optarg);
sig_format = tpm2_parse_signature_format(value);

if (sig_format == signature_format_err) {
return false;
}
break;
case 'G':
sig_hash_algorithm = tpm2_alg_util_from_optarg(optarg);
sig_hash_algorithm = tpm2_alg_util_from_optarg(value);
if(sig_hash_algorithm == TPM2_ALG_ERROR) {
LOG_ERR("Could not convert signature hash algorithm selection, got: \"%s\"", value);
return false;
Expand Down
6 changes: 3 additions & 3 deletions tools/tpm2_readpublic.c
View file
Expand Up @@ -109,14 +109,14 @@ static bool on_option(char key, char *value) {
ctx.flags.H = 1;
break;
case 'o':
ctx.outFilePath = optarg;
ctx.outFilePath = value;
break;
case 'c':
ctx.context_file = optarg;
ctx.context_file = value;
ctx.flags.c = 1;
break;
case 'f':
ctx.format = tpm2_parse_pubkey_format(optarg);
ctx.format = tpm2_parse_pubkey_format(value);
if (ctx.format == pubkey_format_err) {
return false;
}
Expand Down