1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #define LOGMODULE test
17 #include "util/log.h"
18 #include "util/aux_util.h"
19
20 /** This test is intended to test the function Esys_MakeCredential
21 * We start by creating a primary key (Esys_CreatePrimary).
22 *
23 * Based in the primary a second key will be created.
24 * The public part of the key will be loaded by the function
25 * Esys_LoadExternal. A credential will be encrypted with this
26 * key with the command Esys_MakeCredential. The credential
27 * will be activated with Esys_ActivateCredential.
28 *
29 * Tested ESAPI commands:
30 * - Esys_ActivateCredential() (M)
31 * - Esys_Create() (M)
32 * - Esys_CreatePrimary() (M)
33 * - Esys_FlushContext() (M)
34 * - Esys_Load() (M)
35 * - Esys_LoadExternal() (M)
36 * - Esys_MakeCredential() (M)
37 * - Esys_ReadPublic() (M)
38 * - Esys_StartAuthSession() (M)
39 *
40 * Used compiler defines: TEST_SESSION
41 *
42 * @param[in,out] esys_context The ESYS_CONTEXT.
43 * @retval EXIT_FAILURE
44 * @retval EXIT_SUCCESS
45 */
46
47 int
test_esys_make_credential(ESYS_CONTEXT * esys_context)48 test_esys_make_credential(ESYS_CONTEXT * esys_context)
49 {
50 TSS2_RC r;
51 ESYS_TR primaryHandle = ESYS_TR_NONE;
52 ESYS_TR loadedKeyHandle = ESYS_TR_NONE;
53
54 TPM2B_PUBLIC *outPublic = NULL;
55 TPM2B_CREATION_DATA *creationData = NULL;
56 TPM2B_DIGEST *creationHash = NULL;
57 TPMT_TK_CREATION *creationTicket = NULL;
58
59 TPM2B_PUBLIC *outPublic2 = NULL;
60 TPM2B_PRIVATE *outPrivate2 = NULL;
61 TPM2B_CREATION_DATA *creationData2 = NULL;
62 TPM2B_DIGEST *creationHash2 = NULL;
63 TPMT_TK_CREATION *creationTicket2 = NULL;
64
65 TPM2B_PUBLIC *primaryKeyPublic = NULL;
66 TPM2B_NAME *primaryKeyName = NULL;
67 TPM2B_NAME *primaryKeyQualifiedName = NULL;
68
69 TPM2B_ID_OBJECT *credentialBlob = NULL;
70 TPM2B_ENCRYPTED_SECRET *secret = NULL;
71
72 TPM2B_DIGEST *certInfo = NULL;
73
74 #ifdef TEST_SESSION
75 ESYS_TR session = ESYS_TR_NONE;
76 ESYS_TR session2 = ESYS_TR_NONE;
77 TPMT_SYM_DEF symmetric = {.algorithm = TPM2_ALG_AES,
78 .keyBits = {.aes = 128},
79 .mode = {.aes = TPM2_ALG_CFB}
80 };
81 TPMA_SESSION sessionAttributes;
82 TPM2B_NONCE nonceCaller = {
83 .size = 20,
84 .buffer = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10,
85 11, 12, 13, 14, 15, 16, 17, 18, 19, 20}
86 };
87
88 memset(&sessionAttributes, 0, sizeof sessionAttributes);
89
90 RSRC_NODE_T *session_node;
91
92 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
93 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
94 &nonceCaller,
95 TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1,
96 &session);
97 goto_if_error(r, "Error: During initialization of session", error);
98
99 r = esys_GetResourceObject(esys_context, session,
100 &session_node);
101 goto_if_error(r, "Error Esys GetResourceObject", error);
102
103 LOG_INFO("Created session with handle 0x%08x...",
104 session_node->rsrc.handle);
105
106 RSRC_NODE_T *session2_node;
107
108 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
109 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
110 &nonceCaller,
111 TPM2_SE_HMAC, &symmetric, TPM2_ALG_SHA1,
112 &session2);
113 goto_if_error(r, "Error: During initialization of session", error);
114
115 r = esys_GetResourceObject(esys_context, session2,
116 &session2_node);
117 goto_if_error(r, "Error Esys GetResourceObject", error);
118
119 LOG_INFO("Created session2 with handle 0x%08x...",
120 session2_node->rsrc.handle);
121
122 #endif /* TEST_SESSION */
123
124 TPM2B_AUTH authValuePrimary = {
125 .size = 5,
126 .buffer = {1, 2, 3, 4, 5}
127 };
128
129 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
130 .size = 0,
131 .sensitive = {
132 .userAuth = {
133 .size = 0,
134 .buffer = {0 },
135 },
136 .data = {
137 .size = 0,
138 .buffer = {0},
139 },
140 },
141 };
142
143 inSensitivePrimary.sensitive.userAuth = authValuePrimary;
144
145 TPM2B_PUBLIC inPublic = {
146 .size = 0,
147 .publicArea = {
148 .type = TPM2_ALG_RSA,
149 .nameAlg = TPM2_ALG_SHA256,
150 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
151 TPMA_OBJECT_RESTRICTED |
152 TPMA_OBJECT_DECRYPT |
153 TPMA_OBJECT_FIXEDTPM |
154 TPMA_OBJECT_FIXEDPARENT |
155 TPMA_OBJECT_SENSITIVEDATAORIGIN),
156 .authPolicy = {
157 .size = 0,
158 },
159 .parameters.rsaDetail = {
160 .symmetric = {
161 .algorithm = TPM2_ALG_AES,
162 .keyBits.aes = 128,
163 .mode.aes = TPM2_ALG_CFB},
164 .scheme = {
165 .scheme = TPM2_ALG_NULL
166 },
167 .keyBits = 2048,
168 .exponent = 0,
169 },
170 .unique.rsa = {
171 .size = 0,
172 .buffer = {},
173 },
174 },
175 };
176 LOG_INFO("\nRSA key will be created.");
177
178 TPM2B_DATA outsideInfo = {
179 .size = 0,
180 .buffer = {},
181 };
182
183 TPML_PCR_SELECTION creationPCR = {
184 .count = 0,
185 };
186
187 TPM2B_AUTH authValue = {
188 .size = 0,
189 .buffer = {}
190 };
191
192 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
193 goto_if_error(r, "Error: TR_SetAuth", error);
194
195 RSRC_NODE_T *primaryHandle_node;
196
197 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
198 ESYS_TR_NONE, ESYS_TR_NONE, &inSensitivePrimary, &inPublic,
199 &outsideInfo, &creationPCR, &primaryHandle,
200 &outPublic, &creationData, &creationHash,
201 &creationTicket);
202 goto_if_error(r, "Error esys create primary", error);
203
204 r = esys_GetResourceObject(esys_context, primaryHandle,
205 &primaryHandle_node);
206 goto_if_error(r, "Error Esys GetResourceObject", error);
207
208 LOG_INFO("Created Primary with handle 0x%08x...",
209 primaryHandle_node->rsrc.handle);
210
211 r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
212 goto_if_error(r, "Error: TR_SetAuth", error);
213
214 TPM2B_AUTH authKey2 = {
215 .size = 6,
216 .buffer = {6, 7, 8, 9, 10, 11}
217 };
218
219 TPM2B_SENSITIVE_CREATE inSensitive2 = {
220 .size = 0,
221 .sensitive = {
222 .userAuth = {
223 .size = 0,
224 .buffer = {0}
225 },
226 .data = {
227 .size = 0,
228 .buffer = {}
229 }
230 }
231 };
232
233 inSensitive2.sensitive.userAuth = authKey2;
234
235 TPM2B_PUBLIC inPublic2 = {
236 .size = 0,
237 .publicArea = {
238 .type = TPM2_ALG_RSA,
239 .nameAlg = TPM2_ALG_SHA256,
240 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
241 TPMA_OBJECT_RESTRICTED |
242 TPMA_OBJECT_DECRYPT |
243 TPMA_OBJECT_FIXEDTPM |
244 TPMA_OBJECT_FIXEDPARENT |
245 TPMA_OBJECT_SENSITIVEDATAORIGIN),
246
247 .authPolicy = {
248 .size = 0,
249 },
250 .parameters.rsaDetail = {
251 .symmetric = {
252 .algorithm = TPM2_ALG_AES,
253 .keyBits.aes = 128,
254 .mode.aes = TPM2_ALG_CFB
255 },
256 .scheme = {
257 .scheme =
258 TPM2_ALG_NULL,
259 },
260 .keyBits = 2048,
261 .exponent = 0
262 },
263 .unique.rsa = {
264 .size = 0,
265 .buffer = {}
266 ,
267 }
268 }
269 };
270
271 TPM2B_DATA outsideInfo2 = {
272 .size = 0,
273 .buffer = {}
274 ,
275 };
276
277 TPML_PCR_SELECTION creationPCR2 = {
278 .count = 0,
279 };
280
281 r = Esys_Create(esys_context,
282 primaryHandle,
283 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
284 &inSensitive2,
285 &inPublic2,
286 &outsideInfo2,
287 &creationPCR2,
288 &outPrivate2,
289 &outPublic2,
290 &creationData2, &creationHash2, &creationTicket2);
291 goto_if_error(r, "Error esys create ", error);
292
293 LOG_INFO("\nSecond key created.");
294
295 r = Esys_LoadExternal(esys_context,
296 ESYS_TR_NONE,
297 ESYS_TR_NONE,
298 ESYS_TR_NONE,
299 NULL,
300 outPublic2,
301 TPM2_RH_OWNER,
302 &loadedKeyHandle);
303 goto_if_error(r, "Error esys load external", error);
304
305 r = Esys_ReadPublic(esys_context,
306 primaryHandle,
307 ESYS_TR_NONE,
308 ESYS_TR_NONE,
309 ESYS_TR_NONE,
310 &primaryKeyPublic,
311 &primaryKeyName,
312 &primaryKeyQualifiedName);
313
314 goto_if_error(r, "Error esys read public", error);
315
316 TPM2B_DIGEST credential = {
317 .size = 20,
318 .buffer = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10,
319 11, 12, 13, 14, 15, 16, 17, 18, 19, 20}};
320
321 r = Esys_MakeCredential(esys_context,
322 loadedKeyHandle,
323 ESYS_TR_NONE,
324 ESYS_TR_NONE,
325 ESYS_TR_NONE,
326 &credential,
327 primaryKeyName,
328 &credentialBlob,
329 &secret
330 );
331 goto_if_error(r, "Error: MakeCredential", error);
332
333 r = Esys_FlushContext(esys_context, loadedKeyHandle);
334 goto_if_error(r, "Error esys flush context", error);
335
336 r = Esys_Load(esys_context,
337 primaryHandle,
338 #ifdef TEST_SESSION
339 session,
340 #else
341 ESYS_TR_PASSWORD,
342 #endif
343 ESYS_TR_NONE,
344 ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle);
345 goto_if_error(r, "Error esys load ", error);
346
347 LOG_INFO("\nSecond Key loaded.");
348
349 r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2);
350 goto_if_error(r, "Error: TR_SetAuth", error);
351
352 r = Esys_ActivateCredential(esys_context,
353 primaryHandle,
354 loadedKeyHandle,
355
356 #ifdef TEST_SESSION
357 session,
358 #else
359 ESYS_TR_PASSWORD,
360 #endif
361 #ifdef TEST_SESSION
362 session2,
363 #else
364 ESYS_TR_PASSWORD,
365 #endif
366 ESYS_TR_NONE,
367 credentialBlob,
368 secret,
369 &certInfo
370 );
371 goto_if_error(r, "Error: ActivateCredential", error);
372
373 r = Esys_FlushContext(esys_context, primaryHandle);
374 goto_if_error(r, "Error during FlushContext", error);
375
376 r = Esys_FlushContext(esys_context, loadedKeyHandle);
377 goto_if_error(r, "Error esys flush context", error);
378
379 #ifdef TEST_SESSION
380 r = Esys_FlushContext(esys_context, session);
381 goto_if_error(r, "Flushing context", error);
382
383 r = Esys_FlushContext(esys_context, session2);
384 goto_if_error(r, "Flushing context", error);
385 #endif
386
387 Esys_Free(outPublic);
388 Esys_Free(creationData);
389 Esys_Free(creationHash);
390 Esys_Free(creationTicket);
391
392 Esys_Free(outPublic2);
393 Esys_Free(outPrivate2);
394 Esys_Free(creationData2);
395 Esys_Free(creationHash2);
396 Esys_Free(creationTicket2);
397
398 Esys_Free(primaryKeyPublic);
399 Esys_Free(primaryKeyName);
400 Esys_Free(primaryKeyQualifiedName);
401
402 Esys_Free(credentialBlob);
403 Esys_Free(secret);
404
405 Esys_Free(certInfo);
406
407 return EXIT_SUCCESS;
408
409 error:
410
411 #ifdef TEST_SESSION
412 if (session != ESYS_TR_NONE) {
413 if (Esys_FlushContext(esys_context, session) != TSS2_RC_SUCCESS) {
414 LOG_ERROR("Cleanup session failed.");
415 }
416 }
417
418 if (session2 != ESYS_TR_NONE) {
419 if (Esys_FlushContext(esys_context, session2) != TSS2_RC_SUCCESS) {
420 LOG_ERROR("Cleanup session2 failed.");
421 }
422 }
423 #endif
424
425 if (loadedKeyHandle != ESYS_TR_NONE) {
426 if (Esys_FlushContext(esys_context, loadedKeyHandle) != TSS2_RC_SUCCESS) {
427 LOG_ERROR("Cleanup loadedKeyHandle failed.");
428 }
429 }
430
431 if (primaryHandle != ESYS_TR_NONE) {
432 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
433 LOG_ERROR("Cleanup primaryHandle failed.");
434 }
435 }
436
437 Esys_Free(outPublic);
438 Esys_Free(creationData);
439 Esys_Free(creationHash);
440 Esys_Free(creationTicket);
441
442 Esys_Free(outPublic2);
443 Esys_Free(outPrivate2);
444 Esys_Free(creationData2);
445 Esys_Free(creationHash2);
446 Esys_Free(creationTicket2);
447
448 Esys_Free(primaryKeyPublic);
449 Esys_Free(primaryKeyName);
450 Esys_Free(primaryKeyQualifiedName);
451
452 Esys_Free(credentialBlob);
453 Esys_Free(secret);
454
455 Esys_Free(certInfo);
456 return EXIT_FAILURE;
457 }
458
459 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)460 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
461 return test_esys_make_credential(esys_context);
462 }
463