diff --git a/PCPTool.v11/dll/AttestationApi.cpp b/PCPTool.v11/dll/AttestationApi.cpp
index ba621b17..bf135f30 100644
--- a/PCPTool.v11/dll/AttestationApi.cpp
+++ b/PCPTool.v11/dll/AttestationApi.cpp
@@ -424,7 +424,7 @@ TpmAttiComputeSoftPCRs(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -453,9 +453,9 @@ TpmAttiComputeSoftPCRs(
}
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&PcrIndex,
&EventType,
@@ -632,7 +632,7 @@ TpmAttiFilterLog(
// Make OACR happy
*pcbResult = 0;
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -650,9 +650,9 @@ TpmAttiFilterLog(
// 1st pass to find out how much space we will need
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -694,7 +694,7 @@ TpmAttiFilterLog(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbEventLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbEventLog,
cbEventLog,
&wbclIterator)))
{
@@ -723,9 +723,9 @@ TpmAttiFilterLog(
// 2nd pass to copy the entries
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -1119,7 +1119,7 @@ TpmAttGeneratePlatformAttestation(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbLog, cbLog, &wbclIterator)))
+ if (FAILED(hr = WbclApiInitIteratorX(pbLog, cbLog, &wbclIterator)))
{
goto Cleanup;
}
@@ -2039,7 +2039,7 @@ TpmAttCreateAttestationfromLog(
goto Cleanup;
}
- if (FAILED(hr = WbclApiInitIterator(pbLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbLog,
cbLog,
&wbclIterator)))
{
@@ -2048,9 +2048,9 @@ TpmAttCreateAttestationfromLog(
// parse the log
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
@@ -2399,7 +2399,7 @@ TpmAttGetPlatformAttestationProperties(
pAttestation->cbSignature];
cbPlatformLog = pAttestation->cbLog;
- if (FAILED(hr = WbclApiInitIterator(pbPlatformLog,
+ if (FAILED(hr = WbclApiInitIteratorX(pbPlatformLog,
cbPlatformLog,
&wbclIterator)))
{
@@ -2417,9 +2417,9 @@ TpmAttGetPlatformAttestationProperties(
// 2nd pass to copy the entries
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&pcrIndex,
&eventType,
diff --git a/PCPTool.v11/dll/PCPWbcl.cpp b/PCPTool.v11/dll/PCPWbcl.cpp
index 5acc37e2..7b053d15 100644
--- a/PCPTool.v11/dll/PCPWbcl.cpp
+++ b/PCPTool.v11/dll/PCPWbcl.cpp
@@ -511,7 +511,7 @@ Return value:
//
HRESULT
-WbclApiInitIterator(
+WbclApiInitIteratorX(
_In_bytecount_(logSize) PVOID pLogBuffer,
_In_ UINT32 logSize,
_Out_ WBCL_Iterator* pWbclIterator
@@ -589,7 +589,7 @@ Return value:
//
// Extract information for the first event in the log.
//
- hr = WbclApiGetCurrentElement(pWbclIterator,
+ hr = WbclApiGetCurrentElementX(pWbclIterator,
&pcrIndex,
&eventType,
NULL,
@@ -696,7 +696,7 @@ Return value:
// Move to the first log entry after the descriptor.
// WbclApiMoveToNextElement() does boundary checks.
//
- hr = WbclApiMoveToNextElement(pWbclIterator);
+ hr = WbclApiMoveToNextElementX(pWbclIterator);
if (hr != S_OK)
{
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
@@ -710,7 +710,7 @@ Return value:
}
HRESULT
-WbclApiGetCurrentElement(
+WbclApiGetCurrentElementX(
_In_ WBCL_Iterator* pWbclIterator,
_Out_ UINT32* pcrIndex,
_Out_ UINT32* eventType,
@@ -787,7 +787,7 @@ Return value:
}
HRESULT
-WbclApiMoveToNextElement(
+WbclApiMoveToNextElementX(
_In_ WBCL_Iterator* pWbclIterator)
/*++
diff --git a/PCPTool.v11/dll/dll.vcxproj b/PCPTool.v11/dll/dll.vcxproj
index 8f023c4f..63b54905 100644
--- a/PCPTool.v11/dll/dll.vcxproj
+++ b/PCPTool.v11/dll/dll.vcxproj
@@ -29,26 +29,26 @@
DynamicLibrary
true
- v140
+ v143
Unicode
DynamicLibrary
true
- v140
+ v143
Unicode
DynamicLibrary
false
- v140
+ v143
true
Unicode
DynamicLibrary
false
- v140
+ v143
true
Unicode
diff --git a/PCPTool.v11/exe/PCPTool.cpp b/PCPTool.v11/exe/PCPTool.cpp
index f6e416dd..a649b8b1 100644
--- a/PCPTool.v11/exe/PCPTool.cpp
+++ b/PCPTool.v11/exe/PCPTool.cpp
@@ -50,6 +50,7 @@ PcpToolGetHelp(
wprintf(L" ExportKey [key name] [migrationAuth] {key file}\n");
wprintf(L" ChangeKeyUsageAuth [key name] [usageAuth] [newUsageAuth]\n");
wprintf(L" DeleteKey [key name]\n");
+ wprintf(L" DeleteKeys [key name regex]\n");
wprintf(L" GetPubKey [key name] {key File}\n");
wprintf(L" Encrypt [pubkey file] [data] {blob file}\n");
wprintf(L" Decrypt [key name] [blob file] {usageAuth}\n");
@@ -204,6 +205,10 @@ int __cdecl wmain(_In_ int argc,
{
hr = PcpToolDeleteKey(argc, argv);
}
+ else if (!_wcsicmp(command, L"deletekeys"))
+ {
+ hr = PcpToolDeleteKeys(argc, argv);
+ }
else if(!_wcsicmp(command, L"getpubkey"))
{
hr = PcpToolGetPubKey(argc, argv);
diff --git a/PCPTool.v11/exe/PCPTool.h b/PCPTool.v11/exe/PCPTool.h
index 8ecf3f83..07f8ae86 100644
--- a/PCPTool.v11/exe/PCPTool.h
+++ b/PCPTool.v11/exe/PCPTool.h
@@ -323,7 +323,13 @@ HRESULT
PcpToolDeleteKey(
int argc,
_In_reads_(argc) WCHAR* argv[]
- );
+);
+
+HRESULT
+PcpToolDeleteKeys(
+ int argc,
+ _In_reads_(argc) WCHAR* argv[]
+);
HRESULT
PcpToolGetPubKey(
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index edcc9666..0031b878 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -3354,8 +3354,9 @@ or in the machine context.
NCRYPT_PROV_HANDLE hProv = NULL;
NCryptKeyName* pKeyName = NULL;
PVOID pEnumState = NULL;
- DWORD dwFlags[2] = {NCRYPT_SILENT_FLAG,
- NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG};
+ DWORD dwFlags[2] = {
+ NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG,
+ NCRYPT_SILENT_FLAG };
NCRYPT_KEY_HANDLE hKey = NULL;
DWORD dwKeyUsage = NCRYPT_PCP_IDENTITY_KEY;
DWORD cbRequired = 0;
@@ -3414,9 +3415,17 @@ or in the machine context.
&hKey,
pKeyName->pszName,
0,
- 0))))
+ dwFlags[n] & NCRYPT_MACHINE_KEY_FLAG))))
{
- goto Cleanup;
+ wprintf(L"Could not open key: %s (0x%08lx)\n", pKeyName->pszName, hr);
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ hr = S_OK;
+ // Try next key
+ continue;
}
if(FAILED(hr = HRESULT_FROM_WIN32(NCryptGetProperty(
@@ -3581,7 +3590,7 @@ or in the machine context.
NCryptFreeObject(hProv);
hProv = NULL;
}
- PcpToolCallResult(L"PcpToolEnumerateKey()", hr);
+ PcpToolCallResult(L"PcpToolEnumerateKeys()", hr);
return hr;
}
@@ -4219,7 +4228,15 @@ Delete a user key from the PCP storage.
0,
0))))
{
- goto Cleanup;
+ if (FAILED(hr = (NCryptOpenKey(
+ hProv,
+ &hKey,
+ keyName,
+ 0,
+ NCRYPT_MACHINE_KEY_FLAG))))
+ {
+ goto Cleanup;
+ }
}
// Delete the key
@@ -4246,6 +4263,153 @@ Delete a user key from the PCP storage.
return hr;
}
+
+HRESULT
+PcpToolDeleteKeys(
+ int argc,
+ _In_reads_(argc) WCHAR* argv[]
+)
+/*++
+This function will enumerate all keys that are held on the PCPKSP for this user
+or in the machine context.
+--*/
+{
+ HRESULT hr = S_OK;
+ NCRYPT_PROV_HANDLE hProv = NULL;
+ NCryptKeyName* pKeyName = NULL;
+ PVOID pEnumState = NULL;
+ DWORD dwFlags[2] = {
+ NCRYPT_SILENT_FLAG | NCRYPT_MACHINE_KEY_FLAG,
+ NCRYPT_SILENT_FLAG };
+ NCRYPT_KEY_HANDLE hKey = NULL;
+ basic_regex regexKeyName;
+ int matchingKeys = 0;
+
+ // Mandatory parameter: Key Name
+ if (argc > 2)
+ {
+ regexKeyName = basic_regex(argv[2]);
+ }
+ else
+ {
+ wprintf(L"%s %s [key name]\n",
+ argv[0],
+ argv[1]);
+ hr = E_INVALIDARG;
+ goto Cleanup;
+ }
+
+ if (FAILED(hr = HRESULT_FROM_WIN32(NCryptOpenStorageProvider(
+ &hProv,
+ MS_PLATFORM_CRYPTO_PROVIDER,
+ 0))))
+ {
+ goto Cleanup;
+ }
+
+ for (UINT32 n = 0; n < (sizeof(dwFlags) / sizeof(DWORD)); n++)
+ {
+ hr = S_OK;
+
+ while (SUCCEEDED(hr))
+ {
+ hr = HRESULT_FROM_WIN32(NCryptEnumKeys(
+ hProv,
+ NULL,
+ &pKeyName,
+ &pEnumState,
+ dwFlags[n]));
+ if (FAILED(hr))
+ {
+ if (hr == HRESULT_FROM_WIN32((ULONG)NTE_NO_MORE_ITEMS))
+ {
+ if (pEnumState != NULL)
+ {
+ NCryptFreeBuffer(pEnumState);
+ pEnumState = NULL;
+ }
+ hr = S_OK;
+ break;
+ }
+ else
+ {
+ goto Cleanup;
+ }
+ }
+ else
+ {
+ if (regex_match(pKeyName->pszName, regexKeyName)) {
+ matchingKeys++;
+
+ if (FAILED(hr = HRESULT_FROM_WIN32(NCryptOpenKey(
+ hProv,
+ &hKey,
+ pKeyName->pszName,
+ 0,
+ dwFlags[n] & NCRYPT_MACHINE_KEY_FLAG))))
+ {
+ wprintf(L"Could not open key: %s (0x%08lx)\n", pKeyName->pszName, hr);
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ hr = S_OK;
+ continue;
+ }
+
+ wprintf(L"Deletes key: %s ", pKeyName->pszName);
+ // Delete the key
+ if (FAILED(hr = (NCryptDeleteKey(hKey, 0))))
+ {
+ wprintf(L" Failed (0x%08lx)\n", hr);
+ }
+ else
+ {
+ wprintf(L" Deleted\n");
+ }
+
+ NCryptFreeObject(hKey);
+ hKey = NULL;
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ }
+ }
+ }
+
+ if (matchingKeys == 0)
+ {
+ wprintf(L"No matching keys found\n");
+ }
+
+Cleanup:
+ if (pKeyName != NULL)
+ {
+ NCryptFreeBuffer(pKeyName);
+ pKeyName = NULL;
+ }
+ if (pEnumState != NULL)
+ {
+ NCryptFreeBuffer(pEnumState);
+ pEnumState = NULL;
+ }
+ if (hKey != NULL)
+ {
+ NCryptFreeObject(hKey);
+ hKey = NULL;
+ }
+ if (hProv != NULL)
+ {
+ NCryptFreeObject(hProv);
+ hProv = NULL;
+ }
+ PcpToolCallResult(L"PcpToolDeleteKeys()", hr);
+ return hr;
+}
+
+
+
HRESULT
PcpToolGetPubKey(
int argc,
diff --git a/PCPTool.v11/exe/Support.cpp b/PCPTool.v11/exe/Support.cpp
index 9e5d4b8b..a2817f94 100644
--- a/PCPTool.v11/exe/Support.cpp
+++ b/PCPTool.v11/exe/Support.cpp
@@ -850,7 +850,7 @@ PcpToolDisplayLog(
PcpToolLevelPrefix(level + 1);
wprintf(L"\n", cbWBCL);
- if (FAILED(hr = WbclApiInitIterator(pbWBCL,
+ if (FAILED(hr = WbclApiInitIteratorX(pbWBCL,
cbWBCL,
&wbclIterator)))
{
@@ -862,7 +862,7 @@ PcpToolDisplayLog(
}
for (; hr == S_OK;
- hr = WbclApiMoveToNextElement(&wbclIterator))
+ hr = WbclApiMoveToNextElementX(&wbclIterator))
{
BYTE eventDataDigest[MAX_DIGEST_SIZE] = { 0 };
UINT32 PcrIndex;
@@ -871,7 +871,7 @@ PcpToolDisplayLog(
PBYTE pbEventData;
PBYTE pbDigest;
- hr = WbclApiGetCurrentElement(
+ hr = WbclApiGetCurrentElementX(
&wbclIterator,
&PcrIndex,
&EventType,
diff --git a/PCPTool.v11/exe/exe.vcxproj b/PCPTool.v11/exe/exe.vcxproj
index f39a8cdb..d20d11ec 100644
--- a/PCPTool.v11/exe/exe.vcxproj
+++ b/PCPTool.v11/exe/exe.vcxproj
@@ -29,26 +29,26 @@
Application
true
- v140
+ v143
Unicode
Application
true
- v140
+ v143
Unicode
Application
false
- v140
+ v143
true
Unicode
Application
false
- v140
+ v143
true
Unicode
diff --git a/PCPTool.v11/exe/stdafx.h b/PCPTool.v11/exe/stdafx.h
index 8376d46d..2e2d8961 100644
--- a/PCPTool.v11/exe/stdafx.h
+++ b/PCPTool.v11/exe/stdafx.h
@@ -39,6 +39,8 @@ Module Name:
#include
#include
#include
+#include
+using namespace std;
#include "targetver.h"
#include "TpmAtt.h"
diff --git a/PCPTool.v11/inc/TpmAtt.h b/PCPTool.v11/inc/TpmAtt.h
index 6d6f5e46..942118a1 100644
--- a/PCPTool.v11/inc/TpmAtt.h
+++ b/PCPTool.v11/inc/TpmAtt.h
@@ -170,128 +170,6 @@ typedef struct _PCP_KEY_ATTESTATION_BLOB {
#define TPM_STATIC_CONFIG_KEYATTEST_KEYS L"SYSTEM\\CurrentControlSet\\Services\\Tpm\\KeyAttestationKeys"
#define TPM_VOLATILE_CONFIG_DATA L"System\\CurrentControlSet\\Control\\IntegrityServices"
-// SIPA event structures
-
-//
-// Describes the VSM/SMART identity public key.
-//
-typedef struct tag_SIPAEVENT_VSM_IDK_RSA_INFO
-{
- //
- // Length of the RSA IDK modulus in bits.
- //
- ULONG32 KeyBitLength;
-
- //
- // Length of the RSA IDK public exponent in bytes.
- //
- ULONG32 PublicExpLengthBytes;
-
- //
- // Length of the modulus field in bytes.
- //
- ULONG32 ModulusSizeBytes;
-
- //
- // The layout of the PublicKeyData field is as follows:
- // PublicExponent[PublicExpLengthBytes] in Big-endian.
- // Modulus[ModulusSizeBytes] in Big-endian.
- //
- BYTE PublicKeyData[ANYSIZE_ARRAY];
-
-} SIPAEVENT_VSM_IDK_RSA_INFO, *PSIPAEVENT_VSM_IDK_RSA_INFO;
-
-//
-// Payload structure for the SIPAEVENT_VSM_IDK_INFO event.
-//
-typedef struct tag_SIPAEVENT_VSM_IDK_INFO_PAYLOAD
-{
- //
- // Specifies the algorithm used for IDK. Should be one of VSM_IDK_ALG_ID values.
- //
- ULONG32 KeyAlgID;
-
- //
- // Algorithm-specific description of the public key.
- //
- union
- {
- //
- // Description of the RSA public key.
- //
- SIPAEVENT_VSM_IDK_RSA_INFO RsaKeyInfo;
- } DUMMYUNIONNAME;
-
-} SIPAEVENT_VSM_IDK_INFO_PAYLOAD, *PSIPAEVENT_VSM_IDK_INFO_PAYLOAD;
-
-//
-// Payload structure used to carry information about any policy blob.
-//
-typedef struct tag_SIPAEVENT_SI_POLICY_PAYLOAD
-{
- //
- // Policy version
- //
- ULONGLONG PolicyVersion;
-
- //
- // Indicates the length (in bytes) of the policy name stored as part of VarLengthData.
- //
- UINT16 PolicyNameLength;
-
- //
- // Indicates hash algorithm ID used to produce policy digest.
- // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
- //
- UINT16 HashAlgID;
-
- //
- // Indicates the hash digest length (in bytes). Digest is stored as part of VarLengthData.
- //
- UINT32 DigestLength;
-
- //
- // VarLengthData layout is:
- //
- // (Policy name is stored as a WCHAR string with a terminating zero).
- // BYTE PolicyName[PolicyNameLength].
- //
- // BYTE Digest[DigestLength]
- //
- _Field_size_bytes_(PolicyNameLength + DigestLength)
- BYTE VarLengthData[ANYSIZE_ARRAY];
-
-} SIPAEVENT_SI_POLICY_PAYLOAD, *PSIPAEVENT_SI_POLICY_PAYLOAD;
-
-//
-// Payload structure used to carry information about revocation lists.
-//
-typedef struct tag_SIPAEVENT_REVOCATION_LIST_PAYLOAD
-{
- //
- // Creation time.
- //
- LONGLONG CreationTime;
-
- //
- // Indicates the hash digest length (in bytes).
- //
- UINT32 DigestLength;
-
- //
- // Indicates hash algorithm ID used to produce the revocation list digest.
- // Contains one of the TPM_ALG_ID values, typically the TPM_ALG_SHA256.
- //
- UINT16 HashAlgID;
-
- //
- // Hash digest of the revocation list.
- //
- _Field_size_bytes_(DigestLength)
- BYTE Digest[ANYSIZE_ARRAY];
-
-} SIPAEVENT_REVOCATION_LIST_PAYLOAD, *PSIPAEVENT_REVOCATION_LIST_PAYLOAD;
-
// WBCL parser APIs
#pragma pack(push,1)
@@ -315,38 +193,6 @@ typedef UINT16 WBCL_DIGEST_ALG_ID;
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_384 0x00000004
#define WBCL_DIGEST_ALG_BITMAP_SHA_2_512 0x00000008
-//
-// An iterator object for WBCL log.
-//
-typedef struct _WBCL_Iterator
-{
- // Pointer to the first element of the log.
- PVOID firstElementPtr;
-
- // Log size in bytes.
- UINT32 logSize;
-
- // Pointer to the current element of the log.
- PVOID currentElementPtr;
-
- // Size of the current log entry pointed to by currentElementPtr.
- UINT32 currentElementSize;
-
- // Size of the digest field of event log entries.
- UINT16 digestSize;
-
- // Indicates the log format.
- UINT16 logFormat;
-
- // number of algorithms stored in the following digest table.
- UINT32 numberOfDigests;
-
- // points to the table in the header that contains the mapping of algorithm ids to digest sizes.
- PVOID digestSizes;
-
- // Hash algorithm ID used for the log. The value corresponds to one of the TPM 2.0 ALG_ID values.
- WBCL_DIGEST_ALG_ID hashAlgorithm;
-} WBCL_Iterator, *PWBCL_Iterator;
#pragma pack(pop)
#if defined(__cplusplus)
@@ -355,12 +201,12 @@ extern "C" {
// WBCL parser functions (wbcl.h)
-DllExport HRESULT WbclApiInitIterator(
+DllExport HRESULT WbclApiInitIteratorX(
_In_ PVOID pLogBuffer,
_In_ UINT32 logSize,
_Out_ WBCL_Iterator* pWbclIterator);
-DllExport HRESULT WbclApiGetCurrentElement(
+DllExport HRESULT WbclApiGetCurrentElementX(
_In_ WBCL_Iterator* pWbclIterator,
_Out_ UINT32* pcrIndex,
_Out_ UINT32* eventType,
@@ -369,7 +215,7 @@ DllExport HRESULT WbclApiGetCurrentElement(
_Outptr_opt_result_bytebuffer_(*pcbElementDataSize) BYTE** ppbElementData
);
-DllExport HRESULT WbclApiMoveToNextElement(
+DllExport HRESULT WbclApiMoveToNextElementX(
_In_ WBCL_Iterator* pWbclIterator);
#ifndef NCRYPT_PCP_PLATFORM_BINDING_PCRALGID_PROPERTY