From e90deb733eeadbabb3ed7ad5c184515a1f83d3cd Mon Sep 17 00:00:00 2001
From: ksmith3036 <44052735+ksmith3036@users.noreply.github.com>
Date: Tue, 31 Oct 2023 18:13:47 +0100
Subject: [PATCH 1/4] Updated to new build tools and new Windows SDK. Fixed
conflicting method declarations
---
PCPTool.v11/dll/AttestationApi.cpp | 32 ++--
PCPTool.v11/dll/PCPWbcl.cpp | 10 +-
PCPTool.v11/dll/dll.vcxproj | 8 +-
PCPTool.v11/exe/Support.cpp | 6 +-
PCPTool.v11/exe/exe.vcxproj | 8 +-
PCPTool.v11/inc/TpmAtt.h | 288 ++++++++++++++---------------
6 files changed, 176 insertions(+), 176 deletions(-)
diff --git a/PCPTool.v11/dll/AttestationApi.cpp b/PCPTool.v11/dll/AttestationApi.cpp
index ba621b17..bf135f30 100644
--- a/PCPTool.v11/dll/AttestationApi.cpp
+++ b/PCPTool.v11/dll/AttestationApi.cpp
@@ -424,7 +424,7 @@ TpmAttiComputeSoftPCRs(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -453,9 +453,9 @@ TpmAttiComputeSoftPCRs(
}
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&PcrIndex,
&EventType,
@@ -632,7 +632,7 @@ TpmAttiFilterLog(
// Make OACR happy
*pcbResult = 0;
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -650,9 +650,9 @@ TpmAttiFilterLog(
// 1st pass to find out how much space we will need
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -694,7 +694,7 @@ TpmAttiFilterLog(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -723,9 +723,9 @@ TpmAttiFilterLog(
// 2nd pass to copy the entries
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -1119,7 +1119,7 @@ TpmAttGeneratePlatformAttestation(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbLog, cbLog, &wbclIterator)))
+ if (FAILED(hr = WbclApiInitIteratorX(pbLog, cbLog, &wbclIterator)))
{
goto Cleanup;
}
@@ -2039,7 +2039,7 @@ TpmAttCreateAttestationfromLog(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbLog,
cbLog,
&wbclIterator)))
{
@@ -2048,9 +2048,9 @@ TpmAttCreateAttestationfromLog(
// parse the log
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -2399,7 +2399,7 @@ TpmAttGetPlatformAttestationProperties(
pAttestation->cbSignature];
cbPlatformLog = pAttestation->cbLog;
- if (FAILED(hr = WbclApiInitIterator(pbPlatformLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbPlatformLog,
cbPlatformLog,
&wbclIterator)))
{
@@ -2417,9 +2417,9 @@ TpmAttGetPlatformAttestationProperties(
// 2nd pass to copy the entries
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
diff --git a/PCPTool.v11/dll/PCPWbcl.cpp b/PCPTool.v11/dll/PCPWbcl.cpp
index 5acc37e2..7b053d15 100644
--- a/PCPTool.v11/dll/PCPWbcl.cpp
+++ b/PCPTool.v11/dll/PCPWbcl.cpp
@@ -511,7 +511,7 @@ Return value:
//
HRESULT
-WbclApiInitIterator(
+WbclApiInitIteratorX(
_In_bytecount_(logSize) PVOID pLogBuffer,
_In_ UINT32 logSize,
_Out_ WBCL_Iterator* pWbclIterator
@@ -589,7 +589,7 @@ Return value:
//
// Extract information for the first event in the log.
//
- hr = WbclApiGetCurrentElement(pWbclIterator,
+ hr = WbclApiGetCurrentElementX(pWbclIterator,
&pcrIndex,
&eventType,
NULL,
@@ -696,7 +696,7 @@ Return value:
// Move to the first log entry after the descriptor.
// WbclApiMoveToNextElement() does boundary checks.
//
- hr = WbclApiMoveToNextElement(pWbclIterator);
+ hr = WbclApiMoveToNextElementX(pWbclIterator);
if (hr != S_OK)
{
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
@@ -710,7 +710,7 @@ Return value:
}
HRESULT
-WbclApiGetCurrentElement(
+WbclApiGetCurrentElementX(
_In_ WBCL_Iterator* pWbclIterator,
_Out_ UINT32* pcrIndex,
_Out_ UINT32* eventType,
@@ -787,7 +787,7 @@ Return value:
}
HRESULT
-WbclApiMoveToNextElement(
+WbclApiMoveToNextElementX(
_In_ WBCL_Iterator* pWbclIterator)
/*++
diff --git a/PCPTool.v11/dll/dll.vcxproj b/PCPTool.v11/dll/dll.vcxproj
index 8f023c4f..63b54905 100644
--- a/PCPTool.v11/dll/dll.vcxproj
+++ b/PCPTool.v11/dll/dll.vcxproj
@@ -29,26 +29,26 @@
DynamicLibrary
true
- v140
+ v143
Unicode
DynamicLibrary
true
- v140
+ v143
Unicode
DynamicLibrary
false
- v140
+ v143
true
Unicode
DynamicLibrary
false
- v140
+ v143
true
Unicode
diff --git a/PCPTool.v11/exe/Support.cpp b/PCPTool.v11/exe/Support.cpp
index 9e5d4b8b..a2817f94 100644
--- a/PCPTool.v11/exe/Support.cpp
+++ b/PCPTool.v11/exe/Support.cpp
@@ -850,7 +850,7 @@ PcpToolDisplayLog(
PcpToolLevelPrefix(level + 1);
wprintf(L"\n", cbWBCL);
- if (FAILED(hr = WbclApiInitIterator(pbWBCL,
+ if (FAILED(hr = WbclApiInitIteratorX(pbWBCL,
cbWBCL,
&wbclIterator)))
{
@@ -862,7 +862,7 @@ PcpToolDisplayLog(
}
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
BYTE eventDataDigest[MAX_DIGEST_SIZE] = { 0 };
UINT32 PcrIndex;
@@ -871,7 +871,7 @@ PcpToolDisplayLog(
PBYTE pbEventData;
PBYTE pbDigest;
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&PcrIndex,
&EventType,
diff --git a/PCPTool.v11/exe/exe.vcxproj b/PCPTool.v11/exe/exe.vcxproj
index f39a8cdb..d20d11ec 100644
--- a/PCPTool.v11/exe/exe.vcxproj
+++ b/PCPTool.v11/exe/exe.vcxproj
@@ -29,26 +29,26 @@
Application
true
- v140
+ v143
Unicode
Application
true
- v140
+ v143
Unicode
Application
false
- v140
+ v143
true
Unicode
Application
false
- v140
+ v143
true
Unicode
diff --git a/PCPTool.v11/inc/TpmAtt.h b/PCPTool.v11/inc/TpmAtt.h
index 6d6f5e46..5dc10f3f 100644
--- a/PCPTool.v11/inc/TpmAtt.h
+++ b/PCPTool.v11/inc/TpmAtt.h
@@ -172,125 +172,125 @@ typedef struct _PCP_KEY_ATTESTATION_BLOB {
// SIPA event structures
+////
+//// Describes the VSM/SMART identity public key.
+////
+//typedef struct tag_SIPAEVENT_VSM_IDK_RSA_INFO
+//{
+// //
+// // Length of the RSA IDK modulus in bits.
+// //
+// ULONG32 KeyBitLength;
//
-// Describes the VSM/SMART identity public key.
+// //
+// // Length of the RSA IDK public exponent in bytes.
+// //
+// ULONG32 PublicExpLengthBytes;
//
-typedef struct tag_SIPAEVENT_VSM_IDK_RSA_INFO
-{
- //
- // Length of the RSA IDK modulus in bits.
- //
- ULONG32 KeyBitLength;
-
- //
- // Length of the RSA IDK public exponent in bytes.
- //
- ULONG32 PublicExpLengthBytes;
-
- //
- // Length of the modulus field in bytes.
- //
- ULONG32 ModulusSizeBytes;
-
- //
- // The layout of the PublicKeyData field is as follows:
- // PublicExponent[PublicExpLengthBytes] in Big-endian.
- // Modulus[ModulusSizeBytes] in Big-endian.
- //
- BYTE PublicKeyData[ANYSIZE_ARRAY];
-
-} SIPAEVENT_VSM_IDK_RSA_INFO, *PSIPAEVENT_VSM_IDK_RSA_INFO;
-
+// //
+// // Length of the modulus field in bytes.
+// //
+// ULONG32 ModulusSizeBytes;
//
-// Payload structure for the SIPAEVENT_VSM_IDK_INFO event.
+// //
+// // The layout of the PublicKeyData field is as follows:
+// // PublicExponent[PublicExpLengthBytes] in Big-endian.
+// // Modulus[ModulusSizeBytes] in Big-endian.
+// //
+// BYTE PublicKeyData[ANYSIZE_ARRAY];
//
-typedef struct tag_SIPAEVENT_VSM_IDK_INFO_PAYLOAD
-{
- //
- // Specifies the algorithm used for IDK. Should be one of VSM_IDK_ALG_ID values.
- //
- ULONG32 KeyAlgID;
-
- //
- // Algorithm-specific description of the public key.
- //
- union
- {
- //
- // Description of the RSA public key.
- //
- SIPAEVENT_VSM_IDK_RSA_INFO RsaKeyInfo;
- } DUMMYUNIONNAME;
-
-} SIPAEVENT_VSM_IDK_INFO_PAYLOAD, *PSIPAEVENT_VSM_IDK_INFO_PAYLOAD;
-
+//} SIPAEVENT_VSM_IDK_RSA_INFO, *PSIPAEVENT_VSM_IDK_RSA_INFO;
+
+////
+//// Payload structure for the SIPAEVENT_VSM_IDK_INFO event.
+////
+//typedef struct tag_SIPAEVENT_VSM_IDK_INFO_PAYLOAD
+//{
+// //
+// // Specifies the algorithm used for IDK. Should be one of VSM_IDK_ALG_ID values.
+// //
+// ULONG32 KeyAlgID;
//
-// Payload structure used to carry information about any policy blob.
+// //
+// // Algorithm-specific description of the public key.
+// //
+// union
+// {
+// //
+// // Description of the RSA public key.
+// //
+// SIPAEVENT_VSM_IDK_RSA_INFO RsaKeyInfo;
+// } DUMMYUNIONNAME;
//
-typedef struct tag_SIPAEVENT_SI_POLICY_PAYLOAD
-{
- //
- // Policy version
- //
- ULONGLONG PolicyVersion;
-
- //
- // Indicates the length (in bytes) of the policy name stored as part of VarLengthData.
- //
- UINT16 PolicyNameLength;
-
- //
- // Indicates hash algorithm ID used to produce policy digest.
- // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
- //
- UINT16 HashAlgID;
-
- //
- // Indicates the hash digest length (in bytes). Digest is stored as part of VarLengthData.
- //
- UINT32 DigestLength;
-
- //
- // VarLengthData layout is:
- //
- // (Policy name is stored as a WCHAR string with a terminating zero).
- // BYTE PolicyName[PolicyNameLength].
- //
- // BYTE Digest[DigestLength]
- //
- _Field_size_bytes_(PolicyNameLength + DigestLength)
- BYTE VarLengthData[ANYSIZE_ARRAY];
-
-} SIPAEVENT_SI_POLICY_PAYLOAD, *PSIPAEVENT_SI_POLICY_PAYLOAD;
-
+//} SIPAEVENT_VSM_IDK_INFO_PAYLOAD, *PSIPAEVENT_VSM_IDK_INFO_PAYLOAD;
+
+////
+//// Payload structure used to carry information about any policy blob.
+////
+//typedef struct tag_SIPAEVENT_SI_POLICY_PAYLOAD
+//{
+// //
+// // Policy version
+// //
+// ULONGLONG PolicyVersion;
//
-// Payload structure used to carry information about revocation lists.
+// //
+// // Indicates the length (in bytes) of the policy name stored as part of VarLengthData.
+// //
+// UINT16 PolicyNameLength;
//
-typedef struct tag_SIPAEVENT_REVOCATION_LIST_PAYLOAD
-{
- //
- // Creation time.
- //
- LONGLONG CreationTime;
-
- //
- // Indicates the hash digest length (in bytes).
- //
- UINT32 DigestLength;
-
- //
- // Indicates hash algorithm ID used to produce the revocation list digest.
- // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
- //
- UINT16 HashAlgID;
-
- //
- // Hash digest of the revocation list.
- //
- _Field_size_bytes_(DigestLength)
- BYTE Digest[ANYSIZE_ARRAY];
-
-} SIPAEVENT_REVOCATION_LIST_PAYLOAD, *PSIPAEVENT_REVOCATION_LIST_PAYLOAD;
+// //
+// // Indicates hash algorithm ID used to produce policy digest.
+// // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
+// //
+// UINT16 HashAlgID;
+//
+// //
+// // Indicates the hash digest length (in bytes). Digest is stored as part of VarLengthData.
+// //
+// UINT32 DigestLength;
+//
+// //
+// // VarLengthData layout is:
+// //
+// // (Policy name is stored as a WCHAR string with a terminating zero).
+// // BYTE PolicyName[PolicyNameLength].
+// //
+// // BYTE Digest[DigestLength]
+// //
+// _Field_size_bytes_(PolicyNameLength + DigestLength)
+// BYTE VarLengthData[ANYSIZE_ARRAY];
+//
+//} SIPAEVENT_SI_POLICY_PAYLOAD, *PSIPAEVENT_SI_POLICY_PAYLOAD;
+
+////
+//// Payload structure used to carry information about revocation lists.
+////
+//typedef struct tag_SIPAEVENT_REVOCATION_LIST_PAYLOAD
+//{
+// //
+// // Creation time.
+// //
+// LONGLONG CreationTime;
+//
+// //
+// // Indicates the hash digest length (in bytes).
+// //
+// UINT32 DigestLength;
+//
+// //
+// // Indicates hash algorithm ID used to produce the revocation list digest.
+// // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
+// //
+// UINT16 HashAlgID;
+//
+// //
+// // Hash digest of the revocation list.
+// //
+// _Field_size_bytes_(DigestLength)
+// BYTE Digest[ANYSIZE_ARRAY];
+//
+//} SIPAEVENT_REVOCATION_LIST_PAYLOAD, *PSIPAEVENT_REVOCATION_LIST_PAYLOAD;
// WBCL parser APIs
#pragma pack(push,1)
@@ -315,38 +315,38 @@ typedef UINT16 WBCL_DIGEST_ALG_ID;
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_384 0x00000004
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_512 0x00000008
+////
+//// An iterator object for WBCL log.
+////
+//typedef struct _WBCL_Iterator
+//{
+// // Pointer to the first element of the log.
+// PVOID firstElementPtr;
//
-// An iterator object for WBCL log.
+// // Log size in bytes.
+// UINT32 logSize;
//
-typedef struct _WBCL_Iterator
-{
- // Pointer to the first element of the log.
- PVOID firstElementPtr;
-
- // Log size in bytes.
- UINT32 logSize;
-
- // Pointer to the current element of the log.
- PVOID currentElementPtr;
-
- // Size of the current log entry pointed to by currentElementPtr.
- UINT32 currentElementSize;
-
- // Size of the digest field of event log entries.
- UINT16 digestSize;
-
- // Indicates the log format.
- UINT16 logFormat;
-
- // number of algorithms stored in the following digest table.
- UINT32 numberOfDigests;
-
- // points to the table in the header that contains the mapping of algorithm ids to digest sizes.
- PVOID digestSizes;
-
- // Hash algorithm ID used for the log. The value corresponds to one of the TPM 2.0 ALG_ID values.
- WBCL_DIGEST_ALG_ID hashAlgorithm;
-} WBCL_Iterator, *PWBCL_Iterator;
+// // Pointer to the current element of the log.
+// PVOID currentElementPtr;
+//
+// // Size of the current log entry pointed to by currentElementPtr.
+// UINT32 currentElementSize;
+//
+// // Size of the digest field of event log entries.
+// UINT16 digestSize;
+//
+// // Indicates the log format.
+// UINT16 logFormat;
+//
+// // number of algorithms stored in the following digest table.
+// UINT32 numberOfDigests;
+//
+// // points to the table in the header that contains the mapping of algorithm ids to digest sizes.
+// PVOID digestSizes;
+//
+// // Hash algorithm ID used for the log. The value corresponds to one of the TPM 2.0 ALG_ID values.
+// WBCL_DIGEST_ALG_ID hashAlgorithm;
+//} WBCL_Iterator, *PWBCL_Iterator;
#pragma pack(pop)
#if defined(__cplusplus)
@@ -355,12 +355,12 @@ extern "C" {
// WBCL parser functions (wbcl.h)
-DllExport HRESULT WbclApiInitIterator(
+DllExport HRESULT WbclApiInitIteratorX(
_In_ PVOID pLogBuffer,
_In_ UINT32 logSize,
_Out_ WBCL_Iterator* pWbclIterator);
-DllExport HRESULT WbclApiGetCurrentElement(
+DllExport HRESULT WbclApiGetCurrentElementX(
_In_ WBCL_Iterator* pWbclIterator,
_Out_ UINT32* pcrIndex,
_Out_ UINT32* eventType,
@@ -369,7 +369,7 @@ DllExport HRESULT WbclApiGetCurrentElement(
_Outptr_opt_result_bytebuffer_(*pcbElementDataSize) BYTE** ppbElementData
);
-DllExport HRESULT WbclApiMoveToNextElement(
+DllExport HRESULT WbclApiMoveToNextElementX(
_In_ WBCL_Iterator* pWbclIterator);
#ifndef NCRYPT_PCP_PLATFORM_BINDING_PCRALGID_PROPERTY
From 3d266ebad5eef4d0b99c6e934a64927413c1c4ad Mon Sep 17 00:00:00 2001
From: ksmith3036 <44052735+ksmith3036@users.noreply.github.com>
Date: Tue, 31 Oct 2023 18:15:51 +0100
Subject: [PATCH 2/4] Fixed handling of user versus machine keys
---
PCPTool.v11/exe/SDKSample.cpp | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index edcc9666..e7a4dcbe 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -3354,8 +3354,9 @@ or in the machine context.
NCRYPT_PROV_HANDLE hProv = NULL;
NCryptKeyName* pKeyName = NULL;
PVOID pEnumState = NULL;
- DWORD dwFlags[2] = {NCRYPT_SILENT_FLAG,
- NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG};
+ DWORD dwFlags[2] = {
+ NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG,
+ NCRYPT_SILENT_FLAG };
NCRYPT_KEY_HANDLE hKey = NULL;
DWORD dwKeyUsage = NCRYPT_PCP_IDENTITY_KEY;
DWORD cbRequired = 0;
@@ -3414,8 +3415,16 @@ or in the machine context.
&hKey,
pKeyName->pszName,
0,
- 0))))
+ dwFlags[n] & NCRYPT_MACHINE_KEY_FLAG))))
{
+ wprintf(L"Could not open key: %s (0x%08lx)\n", pKeyName->pszName, hr);
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ hr = S_OK;
+ continue;
goto Cleanup;
}
@@ -3581,7 +3590,7 @@ or in the machine context.
NCryptFreeObject(hProv);
hProv = NULL;
}
- PcpToolCallResult(L"PcpToolEnumerateKey()", hr);
+ PcpToolCallResult(L"PcpToolEnumerateKeys()", hr);
return hr;
}
@@ -4219,8 +4228,16 @@ Delete a user key from the PCP storage.
0,
0))))
{
+ if (FAILED(hr = (NCryptOpenKey(
+ hProv,
+ &hKey,
+ keyName,
+ 0,
+ NCRYPT_MACHINE_KEY_FLAG))))
+ {
goto Cleanup;
}
+ }
// Delete the key
if(FAILED(hr = (NCryptDeleteKey(hKey,0))))
From b4d2683fe97212469f099a768ae5273a27704316 Mon Sep 17 00:00:00 2001
From: ksmith3036 <44052735+ksmith3036@users.noreply.github.com>
Date: Tue, 31 Oct 2023 18:16:48 +0100
Subject: [PATCH 3/4] Added DeleteKeys method, accepting a regex as argument,
to delete several keys in one operation
---
PCPTool.v11/exe/PCPTool.cpp | 5 ++
PCPTool.v11/exe/PCPTool.h | 8 +-
PCPTool.v11/exe/SDKSample.cpp | 149 +++++++++++++++++++++++++++++++++-
PCPTool.v11/exe/stdafx.h | 2 +
4 files changed, 161 insertions(+), 3 deletions(-)
diff --git a/PCPTool.v11/exe/PCPTool.cpp b/PCPTool.v11/exe/PCPTool.cpp
index f6e416dd..a649b8b1 100644
--- a/PCPTool.v11/exe/PCPTool.cpp
+++ b/PCPTool.v11/exe/PCPTool.cpp
@@ -50,6 +50,7 @@ PcpToolGetHelp(
wprintf(L" ExportKey [key name] [migrationAuth] {key file}\n");
wprintf(L" ChangeKeyUsageAuth [key name] [usageAuth] [newUsageAuth]\n");
wprintf(L" DeleteKey [key name]\n");
+ wprintf(L" DeleteKeys [key name regex]\n");
wprintf(L" GetPubKey [key name] {key File}\n");
wprintf(L" Encrypt [pubkey file] [data] {blob file}\n");
wprintf(L" Decrypt [key name] [blob file] {usageAuth}\n");
@@ -204,6 +205,10 @@ int __cdecl wmain(_In_ int argc,
{
hr = PcpToolDeleteKey(argc, argv);
}
+ else if (!_wcsicmp(command, L"deletekeys"))
+ {
+ hr = PcpToolDeleteKeys(argc, argv);
+ }
else if(!_wcsicmp(command, L"getpubkey"))
{
hr = PcpToolGetPubKey(argc, argv);
diff --git a/PCPTool.v11/exe/PCPTool.h b/PCPTool.v11/exe/PCPTool.h
index 8ecf3f83..07f8ae86 100644
--- a/PCPTool.v11/exe/PCPTool.h
+++ b/PCPTool.v11/exe/PCPTool.h
@@ -323,7 +323,13 @@ HRESULT
PcpToolDeleteKey(
int argc,
_In_reads_(argc) WCHAR* argv[]
- );
+);
+
+HRESULT
+PcpToolDeleteKeys(
+ int argc,
+ _In_reads_(argc) WCHAR* argv[]
+);
HRESULT
PcpToolGetPubKey(
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index e7a4dcbe..daea11f8 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -4235,8 +4235,8 @@ Delete a user key from the PCP storage.
0,
NCRYPT_MACHINE_KEY_FLAG))))
{
- goto Cleanup;
- }
+ goto Cleanup;
+ }
}
// Delete the key
@@ -4263,6 +4263,151 @@ Delete a user key from the PCP storage.
return hr;
}
+
+HRESULT
+PcpToolDeleteKeys(
+ int argc,
+ _In_reads_(argc) WCHAR* argv[]
+)
+/*++
+This function will enumerate all keys that are held on the PCPKSP for this user
+or in the machine context.
+--*/
+{
+ HRESULT hr = S_OK;
+ NCRYPT_PROV_HANDLE hProv = NULL;
+ NCryptKeyName* pKeyName = NULL;
+ PVOID pEnumState = NULL;
+ DWORD dwFlags[2] = {
+ NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG,
+ NCRYPT_SILENT_FLAG };
+ NCRYPT_KEY_HANDLE hKey = NULL;
+ basic_regex regexKeyName;
+ int matchingKeys = 0;
+
+ // Mandatory parameter: Key Name
+ if (argc > 2)
+ {
+ regexKeyName = basic_regex(argv[2]);
+ }
+ else
+ {
+ wprintf(L"%s %s [key name]\n",
+ argv[0],
+ argv[1]);
+ hr = E_INVALIDARG;
+ goto Cleanup;
+ }
+
+ if (FAILED(hr = HRESULT_FROM_WIN32(NCryptOpenStorageProvider(
+ &hProv,
+ MS_PLATFORM_CRYPTO_PROVIDER,
+ 0))))
+ {
+ goto Cleanup;
+ }
+
+ for (UINT32 n = 0; n < (sizeof(dwFlags) / sizeof(DWORD)); n++)
+ {
+ hr = S_OK;
+
+ while (SUCCEEDED(hr))
+ {
+ hr = HRESULT_FROM_WIN32(NCryptEnumKeys(
+ hProv,
+ NULL,
+ &pKeyName,
+ &pEnumState,
+ dwFlags[n]));
+ if (FAILED(hr))
+ {
+ if (hr == HRESULT_FROM_WIN32((ULONG)NTE_NO_MORE_ITEMS))
+ {
+ if (pEnumState != NULL)
+ {
+ NCryptFreeBuffer(pEnumState);
+ pEnumState = NULL;
+ }
+ hr = S_OK;
+ break;
+ }
+ else
+ {
+ goto Cleanup;
+ }
+ }
+ else
+ {
+ if (regex_match(pKeyName->pszName, regexKeyName)) {
+ matchingKeys++;
+
+ if (FAILED(hr = HRESULT_FROM_WIN32(NCryptOpenKey(
+ hProv,
+ &hKey,
+ pKeyName->pszName,
+ 0,
+ dwFlags[n] & NCRYPT_MACHINE_KEY_FLAG))))
+ {
+ wprintf(L"Could not open key: %s (0x%08lx)\n", pKeyName->pszName, hr);
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ hr = S_OK;
+ continue;
+ }
+
+ wprintf(L"Deletes key: %s ", pKeyName->pszName);
+ // Delete the key
+ if (FAILED(hr = (NCryptDeleteKey(hKey, 0))))
+ {
+ wprintf(L" Failed (0x%08lx)\n", hr);
+ }
+ else {
+ wprintf(L" Deleted\n");
+ }
+
+ NCryptFreeObject(hKey);
+ hKey = NULL;
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ }
+ }
+ }
+
+ if (matchingKeys == 0) {
+ wprintf(L"No matching keys found\n");
+ }
+
+Cleanup:
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ if (pEnumState != NULL)
+ {
+ NCryptFreeBuffer(pEnumState);
+ pEnumState = NULL;
+ }
+ if (hKey != NULL)
+ {
+ NCryptFreeObject(hKey);
+ hKey = NULL;
+ }
+ if (hProv != NULL)
+ {
+ NCryptFreeObject(hProv);
+ hProv = NULL;
+ }
+ PcpToolCallResult(L"PcpToolDeleteKeys()", hr);
+ return hr;
+}
+
+
+
HRESULT
PcpToolGetPubKey(
int argc,
diff --git a/PCPTool.v11/exe/stdafx.h b/PCPTool.v11/exe/stdafx.h
index 8376d46d..2e2d8961 100644
--- a/PCPTool.v11/exe/stdafx.h
+++ b/PCPTool.v11/exe/stdafx.h
@@ -39,6 +39,8 @@ Module Name:
#include
#include
#include
+#include
+using namespace std;
#include "targetver.h"
#include "TpmAtt.h"
From fdf7503b405194c64398b49ded7397a6968a4ae0 Mon Sep 17 00:00:00 2001
From: ksmith3036 <44052735+ksmith3036@users.noreply.github.com>
Date: Thu, 2 Nov 2023 09:50:04 +0100
Subject: [PATCH 4/4] Edited according to code review comments
---
PCPTool.v11/exe/SDKSample.cpp | 8 +-
PCPTool.v11/inc/TpmAtt.h | 154 ----------------------------------
2 files changed, 5 insertions(+), 157 deletions(-)
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index daea11f8..0031b878 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -3424,8 +3424,8 @@ or in the machine context.
pKeyName = NULL;
}
hr = S_OK;
+ // Try next key
continue;
- goto Cleanup;
}
if(FAILED(hr = HRESULT_FROM_WIN32(NCryptGetProperty(
@@ -4364,7 +4364,8 @@ or in the machine context.
{
wprintf(L" Failed (0x%08lx)\n", hr);
}
- else {
+ else
+ {
wprintf(L" Deleted\n");
}
@@ -4377,7 +4378,8 @@ or in the machine context.
}
}
- if (matchingKeys == 0) {
+ if (matchingKeys == 0)
+ {
wprintf(L"No matching keys found\n");
}
diff --git a/PCPTool.v11/inc/TpmAtt.h b/PCPTool.v11/inc/TpmAtt.h
index 5dc10f3f..942118a1 100644
--- a/PCPTool.v11/inc/TpmAtt.h
+++ b/PCPTool.v11/inc/TpmAtt.h
@@ -170,128 +170,6 @@ typedef struct _PCP_KEY_ATTESTATION_BLOB {
#define TPM_STATIC_CONFIG_KEYATTEST_KEYS L"SYSTEM\\CurrentControlSet\\Services\\Tpm\\KeyAttestationKeys"
#define TPM_VOLATILE_CONFIG_DATA L"System\\CurrentControlSet\\Control\\IntegrityServices"
-// SIPA event structures
-
-////
-//// Describes the VSM/SMART identity public key.
-////
-//typedef struct tag_SIPAEVENT_VSM_IDK_RSA_INFO
-//{
-// //
-// // Length of the RSA IDK modulus in bits.
-// //
-// ULONG32 KeyBitLength;
-//
-// //
-// // Length of the RSA IDK public exponent in bytes.
-// //
-// ULONG32 PublicExpLengthBytes;
-//
-// //
-// // Length of the modulus field in bytes.
-// //
-// ULONG32 ModulusSizeBytes;
-//
-// //
-// // The layout of the PublicKeyData field is as follows:
-// // PublicExponent[PublicExpLengthBytes] in Big-endian.
-// // Modulus[ModulusSizeBytes] in Big-endian.
-// //
-// BYTE PublicKeyData[ANYSIZE_ARRAY];
-//
-//} SIPAEVENT_VSM_IDK_RSA_INFO, *PSIPAEVENT_VSM_IDK_RSA_INFO;
-
-////
-//// Payload structure for the SIPAEVENT_VSM_IDK_INFO event.
-////
-//typedef struct tag_SIPAEVENT_VSM_IDK_INFO_PAYLOAD
-//{
-// //
-// // Specifies the algorithm used for IDK. Should be one of VSM_IDK_ALG_ID values.
-// //
-// ULONG32 KeyAlgID;
-//
-// //
-// // Algorithm-specific description of the public key.
-// //
-// union
-// {
-// //
-// // Description of the RSA public key.
-// //
-// SIPAEVENT_VSM_IDK_RSA_INFO RsaKeyInfo;
-// } DUMMYUNIONNAME;
-//
-//} SIPAEVENT_VSM_IDK_INFO_PAYLOAD, *PSIPAEVENT_VSM_IDK_INFO_PAYLOAD;
-
-////
-//// Payload structure used to carry information about any policy blob.
-////
-//typedef struct tag_SIPAEVENT_SI_POLICY_PAYLOAD
-//{
-// //
-// // Policy version
-// //
-// ULONGLONG PolicyVersion;
-//
-// //
-// // Indicates the length (in bytes) of the policy name stored as part of VarLengthData.
-// //
-// UINT16 PolicyNameLength;
-//
-// //
-// // Indicates hash algorithm ID used to produce policy digest.
-// // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
-// //
-// UINT16 HashAlgID;
-//
-// //
-// // Indicates the hash digest length (in bytes). Digest is stored as part of VarLengthData.
-// //
-// UINT32 DigestLength;
-//
-// //
-// // VarLengthData layout is:
-// //
-// // (Policy name is stored as a WCHAR string with a terminating zero).
-// // BYTE PolicyName[PolicyNameLength].
-// //
-// // BYTE Digest[DigestLength]
-// //
-// _Field_size_bytes_(PolicyNameLength + DigestLength)
-// BYTE VarLengthData[ANYSIZE_ARRAY];
-//
-//} SIPAEVENT_SI_POLICY_PAYLOAD, *PSIPAEVENT_SI_POLICY_PAYLOAD;
-
-////
-//// Payload structure used to carry information about revocation lists.
-////
-//typedef struct tag_SIPAEVENT_REVOCATION_LIST_PAYLOAD
-//{
-// //
-// // Creation time.
-// //
-// LONGLONG CreationTime;
-//
-// //
-// // Indicates the hash digest length (in bytes).
-// //
-// UINT32 DigestLength;
-//
-// //
-// // Indicates hash algorithm ID used to produce the revocation list digest.
-// // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
-// //
-// UINT16 HashAlgID;
-//
-// //
-// // Hash digest of the revocation list.
-// //
-// _Field_size_bytes_(DigestLength)
-// BYTE Digest[ANYSIZE_ARRAY];
-//
-//} SIPAEVENT_REVOCATION_LIST_PAYLOAD, *PSIPAEVENT_REVOCATION_LIST_PAYLOAD;
-
// WBCL parser APIs
#pragma pack(push,1)
@@ -315,38 +193,6 @@ typedef UINT16 WBCL_DIGEST_ALG_ID;
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_384 0x00000004
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_512 0x00000008
-////
-//// An iterator object for WBCL log.
-////
-//typedef struct _WBCL_Iterator
-//{
-// // Pointer to the first element of the log.
-// PVOID firstElementPtr;
-//
-// // Log size in bytes.
-// UINT32 logSize;
-//
-// // Pointer to the current element of the log.
-// PVOID currentElementPtr;
-//
-// // Size of the current log entry pointed to by currentElementPtr.
-// UINT32 currentElementSize;
-//
-// // Size of the digest field of event log entries.
-// UINT16 digestSize;
-//
-// // Indicates the log format.
-// UINT16 logFormat;
-//
-// // number of algorithms stored in the following digest table.
-// UINT32 numberOfDigests;
-//
-// // points to the table in the header that contains the mapping of algorithm ids to digest sizes.
-// PVOID digestSizes;
-//
-// // Hash algorithm ID used for the log. The value corresponds to one of the TPM 2.0 ALG_ID values.
-// WBCL_DIGEST_ALG_ID hashAlgorithm;
-//} WBCL_Iterator, *PWBCL_Iterator;
#pragma pack(pop)
#if defined(__cplusplus)