in tools/testing/unseal/unseal.c [236:397]
int main (int argc, char *argv[])
{
int opt;
struct unseal_data *priv_key;
enum aux_attestation_seed_type type;
enum aux_attestation_seed_param param;
struct unseal_data *seed;
struct unseal_data *cipher;
struct unseal_data *sealing;
struct unseal_data *hmac;
uint8_t unseal_out[AUX_ATTESTATION_KEY_256BIT];
size_t i;
int status;
while ((opt = getopt (argc, argv, "0:1:2:3:4:")) != -1) {
switch (opt) {
case '0':
status = mbedtls_base64_decode (pcr_values[0], sizeof (pcr_values[0]),
&pcr_length[0], (uint8_t*) optarg, strlen (optarg));
if (status != 0) {
printf ("Failed to decode PCR0 value: -0x%x\n", -status);
return 1;
}
break;
case '1':
status = mbedtls_base64_decode (pcr_values[1], sizeof (pcr_values[1]),
&pcr_length[1], (uint8_t*) optarg, strlen (optarg));
if (status != 0) {
printf ("Failed to decode PCR1 value: -0x%x\n", -status);
return 1;
}
break;
case '2':
status = mbedtls_base64_decode (pcr_values[2], sizeof (pcr_values[2]),
&pcr_length[2], (uint8_t*) optarg, strlen (optarg));
if (status != 0) {
printf ("Failed to decode PCR2 value: -0x%x\n", -status);
return 1;
}
break;
case '3':
status = mbedtls_base64_decode (pcr_values[3], sizeof (pcr_values[3]),
&pcr_length[3], (uint8_t*) optarg, strlen (optarg));
if (status != 0) {
printf ("Failed to decode PCR3 value: -0x%x\n", -status);
return 1;
}
break;
case '4':
status = mbedtls_base64_decode (pcr_values[4], sizeof (pcr_values[4]),
&pcr_length[4], (uint8_t*) optarg, strlen (optarg));
if (status != 0) {
printf ("Failed to decode PCR4 value: -0x%x\n", -status);
return 1;
}
break;
default:
printf ("Invalid argument");
print_usage (1);
break;
}
}
if (argc < (optind + 7)) {
print_usage (1);
}
if (strcmp ("RSA", argv[optind + 1]) == 0) {
type = AUX_ATTESTATION_SEED_RSA;
}
else if (strcmp ("ECDH", argv[optind + 1]) == 0) {
type = AUX_ATTESTATION_SEED_ECDH;
}
else {
printf ("Invalid unseal seed type: %s\n", argv[optind + 1]);
return 1;
}
if (type == AUX_ATTESTATION_SEED_RSA) {
if (strcmp ("None", argv[optind + 2]) == 0) {
param = AUX_ATTESTATION_PARAM_PKCS15;
}
else if (strcmp ("SHA1", argv[optind + 2]) == 0) {
param = AUX_ATTESTATION_PARAM_OAEP_SHA1;
}
else if (strcmp ("SHA256", argv[optind + 2]) == 0) {
param = AUX_ATTESTATION_PARAM_OAEP_SHA256;
}
else {
printf ("Invalid RSA seed parameter type: %s\n", argv[optind + 2]);
return 1;
}
}
else {
if (strcmp ("None", argv[optind + 2]) == 0) {
param = AUX_ATTESTATION_PARAM_ECDH_RAW;
}
else if (strcmp ("SHA256", argv[optind + 2]) == 0) {
param = AUX_ATTESTATION_PARAM_ECDH_SHA256;
}
else {
printf ("Invalid ECDH seed parameter type: %s\n", argv[optind + 2]);
return 1;
}
}
if (type == AUX_ATTESTATION_SEED_RSA) {
printf ("RSA unsealing unsupported\n");
return 1;
}
priv_key = read_file (argv[optind + 0]);
seed = read_file (argv[optind + 3]);
cipher = read_file (argv[optind + 4]);
sealing = read_file (argv[optind + 5]);
hmac = read_file (argv[optind + 6]);
if (hmac->length != SHA256_HASH_LENGTH) {
printf ("HMAC length is not valid for HMAC-SHA256: %d\n", hmac->length);
return 1;
}
if ((sealing->length % 64) != 0) {
printf ("Sealing data must be a multiple of 64: %d\n", sealing->length);
return 1;
}
init_unseal (priv_key);
status = aux_attestation_unseal (&unseal, &hash.base, &pcr, AUX_ATTESTATION_KEY_256BIT,
seed->data, seed->length, type, param, hmac->data, HMAC_SHA256, cipher->data,
cipher->length, (const uint8_t (*)[64]) sealing->data, (sealing->length / 64), unseal_out,
sizeof (unseal_out));
if (status != 0) {
printf ("Unseal FAILED: 0x%x\n", status);
return 1;
}
for (i = 0; i < sizeof (unseal_out); i++) {
printf ("%02x", unseal_out[i]);
}
printf ("\n");
return 0;
}