1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14 #include "tss2_mu.h"
15
16 #include "esys_iutil.h"
17 #define LOGMODULE test
18 #include "util/log.h"
19 #include "util/aux_util.h"
20
21 /** This test is intended to test the ESAPI policy authorization.
22 *
23 * Tested ESAPI commands:
24 * - Esys_CreatePrimary() (M)
25 * - Esys_FlushContext() (M)
26 * - Esys_PolicyAuthorize() (M)
27 * - Esys_PolicyGetDigest() (M)
28 * - Esys_ReadPublic() (M)
29 * - Esys_StartAuthSession() (M)
30 *
31 * @param[in,out] esys_context The ESYS_CONTEXT.
32 * @retval EXIT_FAILURE
33 * @retval EXIT_SUCCESS
34 */
35
36 int
test_esys_policy_authorize(ESYS_CONTEXT * esys_context)37 test_esys_policy_authorize(ESYS_CONTEXT * esys_context)
38 {
39 TSS2_RC r;
40 ESYS_TR primaryHandle = ESYS_TR_NONE;
41 ESYS_TR sessionTrial = ESYS_TR_NONE;
42
43 TPM2B_PUBLIC *outPublic = NULL;
44 TPM2B_CREATION_DATA *creationData = NULL;
45 TPM2B_DIGEST *creationHash = NULL;
46 TPMT_TK_CREATION *creationTicket = NULL;
47
48 TPM2B_NAME *nameKeySign = NULL;
49 TPM2B_NAME *keyQualifiedName = NULL;
50 TPM2B_DIGEST *policyAuthorizeDigest = NULL;
51
52 /*
53 * 1. Create Primary. This primary will be used for PolicyAuthorize.
54 */
55
56 TPM2B_AUTH authValuePrimary = {
57 .size = 5,
58 .buffer = {1, 2, 3, 4, 5}
59 };
60
61 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
62 .size = 0,
63 .sensitive = {
64 .userAuth = authValuePrimary,
65 .data = {
66 .size = 0,
67 .buffer = {0},
68 },
69 },
70 };
71
72 TPM2B_PUBLIC inPublic = {
73 .size = 0,
74 .publicArea = {
75 .type = TPM2_ALG_RSA,
76 .nameAlg = TPM2_ALG_SHA1,
77 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
78 TPMA_OBJECT_SIGN_ENCRYPT |
79 TPMA_OBJECT_FIXEDTPM |
80 TPMA_OBJECT_FIXEDPARENT |
81 TPMA_OBJECT_SENSITIVEDATAORIGIN),
82 .authPolicy = {
83 .size = 0,
84 },
85 .parameters.rsaDetail = {
86 .symmetric = {
87 .algorithm = TPM2_ALG_NULL,
88 .keyBits.aes = 128,
89 .mode.aes = TPM2_ALG_CFB},
90 .scheme = {
91 .scheme = TPM2_ALG_RSAPSS,
92 .details = {
93 .rsapss = { .hashAlg = TPM2_ALG_SHA1 }
94 }
95 },
96 .keyBits = 2048,
97 .exponent = 0,
98 },
99 .unique.rsa = {
100 .size = 0,
101 .buffer = {},
102 },
103 },
104 };
105 LOG_INFO("\nRSA key will be created.");
106
107 TPM2B_DATA outsideInfo = {
108 .size = 0,
109 .buffer = {},
110 };
111
112 TPML_PCR_SELECTION creationPCR = {
113 .count = 0,
114 };
115
116 TPM2B_AUTH authValue = {
117 .size = 0,
118 .buffer = {}
119 };
120
121 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
122 goto_if_error(r, "Error: TR_SetAuth", error);
123
124 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
125 ESYS_TR_NONE, ESYS_TR_NONE,
126 &inSensitivePrimary, &inPublic,
127 &outsideInfo, &creationPCR, &primaryHandle,
128 &outPublic, &creationData, &creationHash,
129 &creationTicket);
130 goto_if_error(r, "Error esys create primary", error);
131
132 Esys_Free(outPublic);
133
134 /*
135 * 2. Create a trial policy with PolicyAuthorized. The name primary key
136 * will be passed and the primary key will be used to sign policies.
137 */
138 TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES,
139 .keyBits = {.aes = 128},
140 .mode = {.aes = TPM2_ALG_CFB}
141 };
142 TPM2B_NONCE nonceCallerTrial = {
143 .size = 20,
144 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
145 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
146 };
147
148 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
149 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
150 &nonceCallerTrial,
151 TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1,
152 &sessionTrial);
153 goto_if_error(r, "Error: During initialization of policy trial session", error);
154
155 /* Dummy data for first call of PolicyAuthorize */
156 TPM2B_DIGEST approvedPolicy = {0};
157 TPM2B_NONCE policyRef = {0};
158 TPMT_TK_VERIFIED checkTicket = {
159 .tag = TPM2_ST_VERIFIED,
160 .hierarchy = TPM2_RH_OWNER,
161 .digest = {0}
162 };
163
164 r = Esys_ReadPublic(esys_context,
165 primaryHandle,
166 ESYS_TR_NONE,
167 ESYS_TR_NONE,
168 ESYS_TR_NONE,
169 &outPublic,
170 &nameKeySign,
171 &keyQualifiedName);
172 goto_if_error(r, "Error: ReadPublic", error);
173
174 r = Esys_PolicyAuthorize(
175 esys_context,
176 sessionTrial,
177 ESYS_TR_NONE,
178 ESYS_TR_NONE,
179 ESYS_TR_NONE,
180 &approvedPolicy,
181 &policyRef,
182 nameKeySign,
183 &checkTicket
184 );
185 goto_if_error(r, "Error: PolicyAuthorize", error);
186
187 r = Esys_PolicyGetDigest(esys_context,
188 sessionTrial,
189 ESYS_TR_NONE,
190 ESYS_TR_NONE,
191 ESYS_TR_NONE,
192 &policyAuthorizeDigest);
193 goto_if_error(r, "Error: PolicyGetDigest", error);
194
195 r = Esys_FlushContext(esys_context, sessionTrial);
196 goto_if_error(r, "Error: FlushContext", error);
197
198
199 r = Esys_FlushContext(esys_context, primaryHandle);
200 goto_if_error(r, "Error: FlushContext", error);
201
202 Esys_Free(outPublic);
203 Esys_Free(creationData);
204 Esys_Free(creationHash);
205 Esys_Free(creationTicket);
206
207 Esys_Free(nameKeySign);
208 Esys_Free(keyQualifiedName);
209 Esys_Free(policyAuthorizeDigest);
210 return EXIT_SUCCESS;
211
212 error:
213
214 if (sessionTrial != ESYS_TR_NONE) {
215 if (Esys_FlushContext(esys_context, sessionTrial) != TSS2_RC_SUCCESS) {
216 LOG_ERROR("Cleanup sessionTrial failed.");
217 }
218 }
219
220 if (primaryHandle != ESYS_TR_NONE) {
221 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
222 LOG_ERROR("Cleanup primaryHandle failed.");
223 }
224 }
225
226 Esys_Free(outPublic);
227 Esys_Free(creationData);
228 Esys_Free(creationHash);
229 Esys_Free(creationTicket);
230
231 Esys_Free(nameKeySign);
232 Esys_Free(keyQualifiedName);
233 Esys_Free(policyAuthorizeDigest);
234 return EXIT_FAILURE;
235 }
236
237 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)238 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
239 return test_esys_policy_authorize(esys_context);
240 }
241