/********************************************************************************/
/*										*/
/*		TPM 2.0 Attestation - Client EK and EK certificate  		*/
/*			     Written by Ken Goldman				*/
/*		       IBM Thomas J. Watson Research Center			*/
/*										*/
/* (c) Copyright IBM Corporation 2016 - 2019.					*/
/*										*/
/* All rights reserved.								*/
/* 										*/
/* Redistribution and use in source and binary forms, with or without		*/
/* modification, are permitted provided that the following conditions are	*/
/* met:										*/
/* 										*/
/* Redistributions of source code must retain the above copyright notice,	*/
/* this list of conditions and the following disclaimer.			*/
/* 										*/
/* Redistributions in binary form must reproduce the above copyright		*/
/* notice, this list of conditions and the following disclaimer in the		*/
/* documentation and/or other materials provided with the distribution.		*/
/* 										*/
/* Neither the names of the IBM Corporation nor the names of its		*/
/* contributors may be used to endorse or promote products derived from		*/
/* this software without specific prior written permission.			*/
/* 										*/
/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
/********************************************************************************/

/* This program provisions an EK certificate.  It is required only for a SW TPM, which does not, of
   course, come with a certificate.

   NOTE This is a one time operation unless the EPS is changed, typically through the TSS regression
   test.  I suggest saving the NVChip file.

   Steps implemented:

   Create a primary key using the default IWG template
   
   Create a certificate using the CA key cakey.pem

   Create NV Index if not already provisioned.

   Write the certificate to NV.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

/* Windows 10 crypto API clashes with openssl */
#ifdef TPM_WINDOWS
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#endif

#include <ibmtss/tss.h>
#include <ibmtss/tssutils.h>
#include <ibmtss/tssresponsecode.h>
#include <ibmtss/tsscrypto.h>
#include "ekutils.h"

/* local function prototypes */

static void printUsage(void);

static TPM_RC defineEKCertIndex(TSS_CONTEXT *tssContext,
				uint32_t certLength,	
				TPMI_RH_NV_INDEX nvIndex,
				const char *platformPassword);
static TPM_RC storeEkCertificate(TSS_CONTEXT *tssContext,
				 uint32_t certLength,
				 unsigned char *certificate,	
				 TPMI_RH_NV_INDEX nvIndex,
				 const char *platformPassword);

int vverbose = 0;
extern int tssUtilsVerbose;

int main(int argc, char *argv[])
{
    int 		rc = 0;
    int			i;    /* argc iterator */
    TSS_CONTEXT 	*tssContext = NULL;
    int			noFlush = FALSE;
    const char		*certificateFilename = NULL;
    TPMI_RH_NV_INDEX	ekCertIndex = EK_CERT_RSA_INDEX;
    /* the CA for endorsement key certificates */
    const char 		*caKeyFileName = NULL;
    const char 		*caKeyPassword = "";
    const char		*platformPassword = NULL; 
    TPMT_PUBLIC 	tpmtPublicOut;		/* primary key public part */
    char 		*x509CertString = NULL;
    char 		*pemCertString = NULL;
    uint32_t 		certLength;
    unsigned char 	*certificate = NULL;

    /* FIXME may be better from command line or config file */
    char *subjectEntries[] = {
	"US",		/* 0 country */
	"NY",		/* 1 state */
	"Yorktown",	/* 2 locality*/
	"IBM",		/* 3 organization */
	NULL,		/* 4 organization unit */
	"IBM's SW TPM",	/* 5 common name */
	NULL		/* 6 email */
    };
    /* FIXME should come from root certificate, cacert.pem, cacertec.pem */
    char *rootIssuerEntriesRsa[] = {
	"US"			,
	"NY"			,
	"Yorktown"		,
	"IBM"			,
	NULL			,
	"EK CA"			,
	NULL	
    };
    char *rootIssuerEntriesEc[] = {
	"US"			,
	"NY"			,
	"Yorktown"		,
	"IBM"			,
	NULL			,
	"EK EC CA"		,
	NULL	
    };
    /* default RSA */
    char 		**issuerEntries = rootIssuerEntriesRsa;
    size_t		issuerEntriesSize = sizeof(rootIssuerEntriesRsa)/sizeof(char *);

    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
    tssUtilsVerbose = FALSE;

    /* command line argument defaults */
    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
	if (strcmp(argv[i],"-noflush") == 0) {
	    noFlush = TRUE;
	}
	else if (strcmp(argv[i],"-of") == 0) {
	    i++;
	    if (i < argc) {
		certificateFilename = argv[i];
	    }
	    else {
		printf("-of option needs a value\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-alg") == 0) {
	    i++;
	    if (i < argc) {
		if (strcmp(argv[i],"rsa") == 0) {
		    ekCertIndex = EK_CERT_RSA_INDEX;
		}
		else if (strcmp(argv[i],"ecc") == 0) {
		    ekCertIndex = EK_CERT_EC_INDEX;
		}
		else {
		    printf("Bad parameter %s for -alg\n", argv[i]);
		    printUsage();
		}
	    }
	    else {
		printf("-alg option needs a value\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-caalg") == 0) {
	    i++;
	    if (i < argc) {
		if (strcmp(argv[i],"rsa") == 0) {
		    issuerEntries = rootIssuerEntriesRsa;
		    issuerEntriesSize = sizeof(rootIssuerEntriesRsa)/sizeof(char *);
		}
		else if (strcmp(argv[i],"ec") == 0) {
		    issuerEntries = rootIssuerEntriesEc;
		    issuerEntriesSize = sizeof(rootIssuerEntriesEc)/sizeof(char *);
		}
		else {
		    printf("Bad parameter %s for -caalg\n", argv[i]);
		    printUsage();
		}
	    }
	    else {
		printf("-alg option needs a value\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-cakey") == 0) {
	    i++;
	    if (i < argc) {
		caKeyFileName = argv[i];
	    }
	    else {
		printf("ERROR: Missing parameter for -cakey\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-capwd") == 0) {
	    i++;
	    if (i < argc) {
		caKeyPassword = argv[i];
	    }
	    else {
		printf("ERROR: Missing parameter for -capwd\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-pwdp") == 0) {
	    i++;
	    if (i < argc) {
		platformPassword = argv[i];
	    }
	    else {
		printf("-pwdp option needs a value\n");
		printUsage();
	    }
	}
	else if (strcmp(argv[i],"-h") == 0) {
	    printUsage();
	}
	else if (strcmp(argv[i],"-v") == 0) {
	    tssUtilsVerbose = 1;
	}
	else if (strcmp(argv[i],"-vv") == 0) {
	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");	/* trace entire TSS */
	    tssUtilsVerbose = 1;
	    vverbose = 1;
	}
	else {
 	    printf("\n%s is not a valid option\n", argv[i]);
	    printUsage();
	}
    }
    if (caKeyFileName == NULL) {
	printf("ERROR: Missing -cakey\n");
	printUsage();
    }
    /* Start a TSS context */
    if (rc == 0) {
	rc = TSS_Create(&tssContext);
    }
    /* create a primary EK using the default IWG template */
    if (rc == 0) {
	TPM_HANDLE keyHandle;
	rc = processCreatePrimary(tssContext,
				  &keyHandle,
				  ekCertIndex,		/* RSA or EC */
				  NULL, 0,		/* EK nonce, can be NULL */
				  NULL,			/* template */
				  &tpmtPublicOut,	/* primary key */
				  noFlush,
				  tssUtilsVerbose);		/* print errors */
    }
    /* create the EK certificate from the EK public key, using the above issuer and subject */
    if (rc == 0) {
	rc = createCertificate(&x509CertString,			/* freed @3 */
			       &pemCertString,			/* freed @2 */
			       &certLength,
			       &certificate,			/* output, freed @1 */
			       &tpmtPublicOut,			/* public key to be certified */
			       caKeyFileName,			/* CA signing key */
			       issuerEntriesSize,
			       issuerEntries,			/* certificate issuer */
			       sizeof(subjectEntries)/sizeof(char *),
			       subjectEntries,			/* certificate subject */
			       caKeyPassword);			/* CA signing key password */
    }
    /* If the NV index is not defined, define it */
    if (rc == 0) {
	rc = defineEKCertIndex(tssContext,
			       certLength,	
			       ekCertIndex,
			       platformPassword);
    }
    /* store the EK certificate in NV */
    if (rc == 0) {
	rc = storeEkCertificate(tssContext,
				certLength, certificate,	
				ekCertIndex,
				platformPassword);
    }
    /* optionally store the certificate in DER format */
    if ((rc == 0) && (certificateFilename != NULL)) {
	rc = TSS_File_WriteBinaryFile(certificate, certLength, certificateFilename);
    }
    {
	TPM_RC rc1 = TSS_Delete(tssContext);
	if (rc == 0) {
	    rc = rc1;
	}
    }
    free(certificate);			/* @1 */
    free(pemCertString);		/* @2 */
    free(x509CertString);		/* @3 */
    return rc;
}

/* defineEKCertIndex() defines the EK certificate index if it is not already defined */

static TPM_RC defineEKCertIndex(TSS_CONTEXT *tssContext,
				uint32_t certLength,	
				TPMI_RH_NV_INDEX nvIndex,
				const char *platformPassword)
{
    TPM_RC 		rc = 0;
    NV_ReadPublic_In 	nvReadPublicIn;
    NV_ReadPublic_Out	nvReadPublicOut;
    NV_DefineSpace_In 	nvDefineSpaceIn;
    
    /* read metadata to make sure the index is there, the size is sufficient, and get the Name */
    if (tssUtilsVerbose) printf("defineEKCertIndex: certificate length %u\n", certLength);
    if (rc == 0) {
	nvReadPublicIn.nvIndex = nvIndex;
	rc = TSS_Execute(tssContext,
			 (RESPONSE_PARAMETERS *)&nvReadPublicOut,
			 (COMMAND_PARAMETERS *)&nvReadPublicIn,
			 NULL,
			 TPM_CC_NV_ReadPublic,
			 TPM_RH_NULL, NULL, 0);
    }
    /* if already defined, check the size */
    if (rc == 0) {
	if (tssUtilsVerbose) printf("defineEKCertIndex: defined data size %u\n",
			    nvReadPublicOut.nvPublic.nvPublic.dataSize);
	if (nvReadPublicOut.nvPublic.nvPublic.dataSize < certLength) {
	    printf("defineEKCertIndex: data size %u insufficient for certificate %u\n",
		   nvReadPublicOut.nvPublic.nvPublic.dataSize, certLength);
	    rc = EXIT_FAILURE;
	}
    }
    else if ((rc & 0xff) == TPM_RC_HANDLE) {
	rc = 0;		/* not an error yet, define the index for the EK certificate */
	nvDefineSpaceIn.authHandle = TPM_RH_PLATFORM;
	nvDefineSpaceIn.auth.b.size = 0;					/* empty auth */
	nvDefineSpaceIn.publicInfo.nvPublic.authPolicy.t.size = 0;		/* empty policy */
	nvDefineSpaceIn.publicInfo.nvPublic.nvIndex = nvIndex;	/* handle of the data area */
	nvDefineSpaceIn.publicInfo.nvPublic.nameAlg = TPM_ALG_SHA256; 	/* name hash algorithm */
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val = 0;
	/* PC Client specification */
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_ORDINARY;
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_PLATFORMCREATE;
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_AUTHREAD;
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_NO_DA;
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_PPWRITE;
	/* required for Microsoft Windows certification test */
	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_OWNERREAD; 
	if (certLength < 1000) {
	    nvDefineSpaceIn.publicInfo.nvPublic.dataSize = 1000;		/* minimum size */
	}
	else {
	    nvDefineSpaceIn.publicInfo.nvPublic.dataSize = certLength;
	}
	/* call TSS to execute the command */
	if (rc == 0) {
	    rc = TSS_Execute(tssContext,
			     NULL,
			     (COMMAND_PARAMETERS *)&nvDefineSpaceIn,
			     NULL,
			     TPM_CC_NV_DefineSpace,
			     TPM_RS_PW, platformPassword, 0,
			     TPM_RH_NULL, NULL, 0);
	}
    }
    if (rc != 0) {
	const char *msg;
	const char *submsg;
	const char *num;
	printf("defineEKCertIndex: failed, rc %08x\n", rc);
	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
	printf("%s%s%s\n", msg, submsg, num);
	printf("ERROR: defineEKCertIndex: requires certificate min length %u at index %08x\n",
	       certLength, nvIndex);
	rc = EXIT_FAILURE;
    }
    return rc;
}

/* storeEkCertificate() writes the EK certificate at the specified NV index.  It does not define the
   NV index.  */

static TPM_RC storeEkCertificate(TSS_CONTEXT *tssContext,
				 uint32_t certLength,
				 unsigned char *certificate,	
				 TPMI_RH_NV_INDEX nvIndex,
				 const char *platformPassword)
{
    TPM_RC 		rc = 0;
    NV_Write_In 	nvWriteIn;
    uint32_t 		nvBufferMax;		/* max write in one chunk */
    uint16_t 		bytesWritten;		/* bytes written so far */
    int			done = FALSE;

    if (rc == 0) {
	rc = readNvBufferMax(tssContext,
			     &nvBufferMax);
    }    
    if (rc == 0) {
	if (tssUtilsVerbose) printf("storeEkCertificate: writing %u bytes to %08x\n",
			    certLength, nvIndex);
	nvWriteIn.authHandle = TPM_RH_PLATFORM;  
	nvWriteIn.nvIndex = nvIndex;
	nvWriteIn.offset = 0;
	bytesWritten = 0;	/* bytes written so far */
    }
    while ((rc == 0) && !done) {
	uint16_t writeBytes;		/* bytes to write in this pass */
	if (rc == 0) {
	    nvWriteIn.offset = bytesWritten;
	    if ((uint32_t)(certLength - bytesWritten) < nvBufferMax) {
		writeBytes = certLength - bytesWritten;	/* last chunk */
	    }
	    else {
		writeBytes = nvBufferMax;	/* next chunk */
	    }
	    rc = TSS_TPM2B_Create(&nvWriteIn.data.b, certificate + bytesWritten, writeBytes,
				  sizeof(nvWriteIn.data.t.buffer));
	}
	if (rc == 0) {
	    rc = TSS_Execute(tssContext,
			     NULL,
			     (COMMAND_PARAMETERS *)&nvWriteIn,
			     NULL,
			     TPM_CC_NV_Write,
			     TPM_RS_PW, platformPassword, 0,
			     TPM_RH_NULL, NULL, 0);
	}
	if (rc == 0) {
	    bytesWritten += writeBytes;
	    if (bytesWritten == certLength) {
		done = TRUE;
	    }
	}
    }
    if (rc == 0) {
	if (tssUtilsVerbose) printf("storeEkCertificate: success\n");
    }
    else {
	const char *msg;
	const char *submsg;
	const char *num;
	printf("storeEkCertificate: failed, rc %08x\n", rc);
	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
	printf("%s%s%s\n", msg, submsg, num);
	if (rc == TSS_RC_FILE_OPEN) {
	    printf("Possible cause: missing nvreadpublic before nvwrite\n");
	}
	rc = EXIT_FAILURE;
    }
    return rc;
}

static void printUsage(void)
{
    printf("\n");
    printf("createekcert\n");
    printf("\n");
    printf("Provisions an EK certificate, using the default IWG template\n");
    printf("E.g.,\n");
    printf("\n");
    printf("Usage: createekcert -alg rsa -cakey cakey.pem    -capwd rrrr -v\n");
    printf("or:    createekcert -alg ecc -cakey cakeyecc.pem -capwd rrrr -caalg ec -v\n");
    printf("\n");
    printf("\t[-pwdp\t\tplatform hierarchy password (default empty)]\n");
    printf("\t-cakey\t\tCA PEM key file name\n");
    printf("\t[-capwd\t\tCA PEM key password (default empty)]\n");
    printf("\t[-caalg\t\tCA key algorithm (rsa or ec) (default rsa)]\n");
    printf("\t[-alg\t\t(rsa or ecc certificate) (default rsa)]\n");
    printf("\t[-noflush\tdo not flush the primary key]\n");
    printf("\t[-of\t\tDER certificate output file name]\n");
    printf("\n");
    printf("Currently:\n");
    printf("\n");
    printf("\tCertificate issuer, subject, and validity are hard coded.\n");
    exit(1);	
}