/* SPDX-License-Identifier: BSD-2-Clause */ /******************************************************************************* * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG * All rights reserved. *******************************************************************************/ #ifdef HAVE_CONFIG_H #include #endif #include #include "tss2_esys.h" #include "tss2_mu.h" #include "esys_iutil.h" #include "test-esapi.h" #define LOGMODULE test #include "util/log.h" #include "util/aux_util.h" /** This test is intended to test the ESAPI commands Duplicate and Rewrap. * * We start by creating a primary key (Esys_CreatePrimary). * This primary key will be used as parent key for the Duplicate * command. A second primary key will be the parent key of the * duplicated key. In the last step the key is rewrapped with the * first primary key as parent key. * * Tested ESAPI commands: * - Esys_Create() (M) * - Esys_CreatePrimary() (M) * - Esys_Duplicate() (M) * - Esys_FlushContext() (M) * - Esys_Load() (M) * - Esys_PolicyAuthValue() (M) * - Esys_PolicyCommandCode() (M) * - Esys_PolicyGetDigest() (M) * - Esys_ReadPublic() (M) * - Esys_Rewrap() (O) * - Esys_StartAuthSession() (M) * * @param[in,out] esys_context The ESYS_CONTEXT. * @retval EXIT_FAILURE * @retval EXIT_SKIP * @retval EXIT_SUCCESS */ int test_esys_duplicate(ESYS_CONTEXT * esys_context) { TSS2_RC r; ESYS_TR primaryHandle = ESYS_TR_NONE; ESYS_TR primaryHandle2 = ESYS_TR_NONE; ESYS_TR loadedKeyHandle = ESYS_TR_NONE; ESYS_TR policySession = ESYS_TR_NONE; int failure_return = EXIT_FAILURE; TPM2B_DIGEST *policyDigestTrial = NULL; TPM2B_PUBLIC *outPublic = NULL; TPM2B_CREATION_DATA *creationData = NULL; TPM2B_DIGEST *creationHash = NULL; TPMT_TK_CREATION *creationTicket = NULL; TPM2B_PUBLIC *outPublic2 = NULL; TPM2B_PRIVATE *outPrivate2 = NULL; TPM2B_CREATION_DATA *creationData2 = NULL; TPM2B_DIGEST *creationHash2 = NULL; TPMT_TK_CREATION *creationTicket2 = NULL; TPM2B_PUBLIC *keyPublic = NULL; TPM2B_NAME *keyName = NULL; TPM2B_NAME *keyQualifiedName = NULL; TPM2B_DATA *encryptionKeyOut = NULL; TPM2B_PRIVATE *duplicate = NULL; TPM2B_ENCRYPTED_SECRET *outSymSeed = NULL; TPM2B_PRIVATE *outDuplicate = NULL; TPM2B_ENCRYPTED_SECRET *outSymSeed2 = NULL; /* * First the policy value to be able to use Esys_Duplicate for an object has to be * determined with a policy trial session. */ ESYS_TR sessionTrial = ESYS_TR_NONE; TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES, .keyBits = {.aes = 128}, .mode = {.aes = TPM2_ALG_CFB} }; TPM2B_NONCE nonceCallerTrial = { .size = 20, .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30} }; r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &nonceCallerTrial, TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1, &sessionTrial); goto_if_error(r, "Error: During initialization of policy trial session", error); r = Esys_PolicyAuthValue(esys_context, sessionTrial, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE ); goto_if_error(r, "Error: PolicyAuthValue", error); r = Esys_PolicyCommandCode(esys_context, sessionTrial, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Duplicate ); goto_if_error(r, "Error: PolicyCommandCode", error); r = Esys_PolicyGetDigest(esys_context, sessionTrial, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &policyDigestTrial ); goto_if_error(r, "Error: PolicyGetDigest", error); TPM2B_AUTH authValuePrimary = { .size = 5, .buffer = {1, 2, 3, 4, 5} }; TPM2B_SENSITIVE_CREATE inSensitivePrimary = { .size = 0, .sensitive = { .userAuth = { .size = 0, .buffer = {0 }, }, .data = { .size = 0, .buffer = {0}, }, }, }; inSensitivePrimary.sensitive.userAuth = authValuePrimary; TPM2B_PUBLIC inPublic = { .size = 0, .publicArea = { .type = TPM2_ALG_RSA, .nameAlg = TPM2_ALG_SHA1, .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_RESTRICTED | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_FIXEDTPM | TPMA_OBJECT_FIXEDPARENT | TPMA_OBJECT_SENSITIVEDATAORIGIN), .authPolicy = { .size = 0, }, .parameters.rsaDetail = { .symmetric = { .algorithm = TPM2_ALG_AES, .keyBits.aes = 128, .mode.aes = TPM2_ALG_CFB}, .scheme = { .scheme = TPM2_ALG_NULL }, .keyBits = 2048, .exponent = 0, }, .unique.rsa = { .size = 0, .buffer = {}, }, }, }; LOG_INFO("\nRSA key will be created."); TPM2B_DATA outsideInfo = { .size = 0, .buffer = {}, }; TPML_PCR_SELECTION creationPCR = { .count = 0, }; TPM2B_AUTH authValue = { .size = 0, .buffer = {} }; r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue); goto_if_error(r, "Error: TR_SetAuth", error); RSRC_NODE_T *primaryHandle_node; r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &inSensitivePrimary, &inPublic, &outsideInfo, &creationPCR, &primaryHandle, &outPublic, &creationData, &creationHash, &creationTicket); goto_if_error(r, "Error esys create primary", error); Esys_Free(outPublic); Esys_Free(creationData); Esys_Free(creationHash); Esys_Free(creationTicket); r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &inSensitivePrimary, &inPublic, &outsideInfo, &creationPCR, &primaryHandle2, &outPublic, &creationData, &creationHash, &creationTicket); goto_if_error(r, "Error esys create primary", error); r = esys_GetResourceObject(esys_context, primaryHandle, &primaryHandle_node); goto_if_error(r, "Error Esys GetResourceObject", error); LOG_INFO("Created Primary with handle 0x%08x...", primaryHandle_node->rsrc.handle); r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary); goto_if_error(r, "Error: TR_SetAuth", error); TPM2B_AUTH authKey2 = { .size = 6, .buffer = {6, 7, 8, 9, 10, 11} }; TPM2B_SENSITIVE_CREATE inSensitive2 = { .size = 0, .sensitive = { .userAuth = { .size = 0, .buffer = {0} }, .data = { .size = 0, .buffer = {} } } }; inSensitive2.sensitive.userAuth = authKey2; TPM2B_PUBLIC inPublic2 = { .size = 0, .publicArea = { .type = TPM2_ALG_RSA, .nameAlg = TPM2_ALG_SHA1, .objectAttributes = (TPMA_OBJECT_USERWITHAUTH | TPMA_OBJECT_RESTRICTED | TPMA_OBJECT_DECRYPT | TPMA_OBJECT_SENSITIVEDATAORIGIN), .authPolicy = { .size = 0, }, .parameters.rsaDetail = { .symmetric = { .algorithm = TPM2_ALG_AES, .keyBits.aes = 128, .mode.aes = TPM2_ALG_CFB }, .scheme = { .scheme = TPM2_ALG_NULL, }, .keyBits = 2048, .exponent = 0 }, .unique.rsa = { .size = 0, .buffer = {} , } } }; TPM2B_DATA outsideInfo2 = { .size = 0, .buffer = {} , }; TPML_PCR_SELECTION creationPCR2 = { .count = 0, }; inPublic2.publicArea.authPolicy = *policyDigestTrial; r = Esys_Create(esys_context, primaryHandle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, &inSensitive2, &inPublic2, &outsideInfo2, &creationPCR2, &outPrivate2, &outPublic2, &creationData2, &creationHash2, &creationTicket2); goto_if_error(r, "Error esys create ", error); LOG_INFO("\nSecond key created."); r = Esys_Load(esys_context, primaryHandle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle); goto_if_error(r, "Error esys load ", error); LOG_INFO("\nSecond Key loaded."); r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2); goto_if_error(r, "Error esys TR_SetAuth ", error); r = Esys_ReadPublic(esys_context, loadedKeyHandle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &keyPublic, &keyName, &keyQualifiedName); goto_if_error(r, "Error esys ReadPublic", error); TPMT_SYM_DEF policySymmetric = {.algorithm = TPM2_ALG_AES, .keyBits = {.aes = 128}, .mode = {.aes = TPM2_ALG_CFB} }; TPM2B_NONCE policyNonceCaller = { .size = 20, .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30} }; r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &policyNonceCaller, TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1, &policySession); goto_if_error(r, "Error: During initialization of policy trial session", error); r = Esys_PolicyAuthValue(esys_context, policySession, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE ); goto_if_error(r, "Error: PolicyAuthValue", error); r = Esys_PolicyCommandCode(esys_context, policySession, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Duplicate ); goto_if_error(r, "Error: PolicyCommandCode", error); TPM2B_DATA encryptionKey = { .size = 16, .buffer = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 } }; TPMT_SYM_DEF_OBJECT symmetric = {.algorithm = TPM2_ALG_AES, .keyBits = {.aes = 128}, .mode = {.aes = TPM2_ALG_CFB}}; r = Esys_Duplicate( esys_context, loadedKeyHandle, primaryHandle2, policySession, ESYS_TR_NONE, ESYS_TR_NONE, &encryptionKey, &symmetric, &encryptionKeyOut, &duplicate, &outSymSeed); goto_if_error(r, "Error: Duplicate", error); r = Esys_Rewrap(esys_context, primaryHandle2, primaryHandle, ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, duplicate, keyName, outSymSeed, &outDuplicate, &outSymSeed2); if ((r == TPM2_RC_COMMAND_CODE) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) || (r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) { LOG_WARNING("Command TPM2_Rewrap not supported by TPM."); failure_return = EXIT_SKIP; goto error; } goto_if_error(r, "Error: Rewrap", error); r = Esys_FlushContext(esys_context, primaryHandle); goto_if_error(r, "Flushing context", error); primaryHandle = ESYS_TR_NONE; r = Esys_FlushContext(esys_context, primaryHandle2); goto_if_error(r, "Flushing context", error); primaryHandle2 = ESYS_TR_NONE; r = Esys_FlushContext(esys_context, loadedKeyHandle); goto_if_error(r, "Flushing context", error); loadedKeyHandle = ESYS_TR_NONE; r = Esys_FlushContext(esys_context, sessionTrial); goto_if_error(r, "Flushing context", error); r = Esys_FlushContext(esys_context, policySession); goto_if_error(r, "Flushing context", error); Esys_Free(policyDigestTrial); Esys_Free(outPublic); Esys_Free(creationData); Esys_Free(creationHash); Esys_Free(creationTicket); Esys_Free(outPublic2); Esys_Free(outPrivate2); Esys_Free(creationData2); Esys_Free(creationHash2); Esys_Free(creationTicket2); Esys_Free(keyPublic); Esys_Free(keyName); Esys_Free(keyQualifiedName); Esys_Free(encryptionKeyOut); Esys_Free(duplicate); Esys_Free(outSymSeed); Esys_Free(outDuplicate); Esys_Free(outSymSeed2); return EXIT_SUCCESS; error: if (policySession != ESYS_TR_NONE) { if (Esys_FlushContext(esys_context, policySession) != TSS2_RC_SUCCESS) { LOG_ERROR("Cleanup policySession failed."); } } if (sessionTrial != ESYS_TR_NONE) { if (Esys_FlushContext(esys_context, sessionTrial) != TSS2_RC_SUCCESS) { LOG_ERROR("Cleanup sessionTrial failed."); } } if (loadedKeyHandle != ESYS_TR_NONE) { if (Esys_FlushContext(esys_context, loadedKeyHandle) != TSS2_RC_SUCCESS) { LOG_ERROR("Cleanup loadedKeyHandle failed."); } } if (primaryHandle != ESYS_TR_NONE) { if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) { LOG_ERROR("Cleanup primaryHandle failed."); } } if (primaryHandle2 != ESYS_TR_NONE) { if (Esys_FlushContext(esys_context, primaryHandle2) != TSS2_RC_SUCCESS) { LOG_ERROR("Cleanup primaryHandle2 failed."); } } Esys_Free(policyDigestTrial); Esys_Free(outPublic); Esys_Free(creationData); Esys_Free(creationHash); Esys_Free(creationTicket); Esys_Free(outPublic2); Esys_Free(outPrivate2); Esys_Free(creationData2); Esys_Free(creationHash2); Esys_Free(creationTicket2); Esys_Free(keyPublic); Esys_Free(keyName); Esys_Free(keyQualifiedName); Esys_Free(encryptionKeyOut); Esys_Free(duplicate); Esys_Free(outSymSeed); Esys_Free(outDuplicate); Esys_Free(outSymSeed2); return failure_return; } int test_invoke_esapi(ESYS_CONTEXT * esys_context) { return test_esys_duplicate(esys_context); }