1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14
15 #include "esys_iutil.h"
16 #define LOGMODULE test
17 #include "util/log.h"
18 #include "util/aux_util.h"
19
20 /** This test is intended to test password authentication for the ESAPI command
21 * Create.
22 *
23 * We start by creating a primary key (Esys_CreatePrimary).
24 * Based in the primary a second key with an password define in the sensitive
25 * area will be created.
26 * This key will be loaded and will be used as parent to create a third key.
27 * Password authentication will be used to create this key.
28 *
29 * Tested ESAPI commands:
30 * - Esys_Create() (M)
31 * - Esys_CreatePrimary() (M)
32 * - Esys_FlushContext() (M)
33 * - Esys_Load() (M)
34 *
35 * Used compiler defines: TEST_ECC
36 *
37 * @param[in,out] esys_context The ESYS_CONTEXT.
38 * @retval EXIT_FAILURE
39 * @retval EXIT_SUCCESS
40 */
41
42 int
test_esys_create_password_auth(ESYS_CONTEXT * esys_context)43 test_esys_create_password_auth(ESYS_CONTEXT * esys_context)
44 {
45 TSS2_RC r;
46 ESYS_TR primaryHandle = ESYS_TR_NONE;
47 ESYS_TR loadedKeyHandle = ESYS_TR_NONE;
48
49 TPM2B_PUBLIC *outPublic = NULL;
50 TPM2B_CREATION_DATA *creationData = NULL;
51 TPM2B_DIGEST *creationHash = NULL;
52 TPMT_TK_CREATION *creationTicket = NULL;
53
54 TPM2B_PUBLIC *outPublic2 = NULL;
55 TPM2B_PRIVATE *outPrivate2 = NULL;
56 TPM2B_CREATION_DATA *creationData2 = NULL;
57 TPM2B_DIGEST *creationHash2 = NULL;
58 TPMT_TK_CREATION *creationTicket2 = NULL;
59
60 TPM2B_AUTH authValuePrimary = {
61 .size = 5,
62 .buffer = {1, 2, 3, 4, 5}
63 };
64
65 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
66 .size = 0,
67 .sensitive = {
68 .userAuth = {
69 .size = 0,
70 .buffer = {0 },
71 },
72 .data = {
73 .size = 0,
74 .buffer = {0},
75 },
76 },
77 };
78
79 inSensitivePrimary.sensitive.userAuth = authValuePrimary;
80
81 #ifdef TEST_ECC
82 TPM2B_PUBLIC inPublic = {
83 .size = 0,
84 .publicArea = {
85 .type = TPM2_ALG_ECC,
86 .nameAlg = TPM2_ALG_SHA256,
87 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
88 TPMA_OBJECT_RESTRICTED |
89 TPMA_OBJECT_SIGN_ENCRYPT |
90 TPMA_OBJECT_FIXEDTPM |
91 TPMA_OBJECT_FIXEDPARENT |
92 TPMA_OBJECT_SENSITIVEDATAORIGIN),
93 .authPolicy = {
94 .size = 0,
95 },
96 .parameters.eccDetail = {
97 .symmetric = {
98 .algorithm = TPM2_ALG_NULL,
99 .keyBits.aes = 128,
100 .mode.aes = TPM2_ALG_CFB,
101 },
102 .scheme = {
103 .scheme = TPM2_ALG_ECDSA,
104 .details = {
105 .ecdsa = {.hashAlg = TPM2_ALG_SHA256}},
106 },
107 .curveID = TPM2_ECC_NIST_P256,
108 .kdf = {
109 .scheme = TPM2_ALG_NULL,
110 .details = {}}
111 },
112 .unique.ecc = {
113 .x = {.size = 0,.buffer = {}},
114 .y = {.size = 0,.buffer = {}},
115 },
116 },
117 };
118 LOG_INFO("\nECC key will be created.");
119 #else
120 TPM2B_PUBLIC inPublic = {
121 .size = 0,
122 .publicArea = {
123 .type = TPM2_ALG_RSA,
124 .nameAlg = TPM2_ALG_SHA256,
125 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
126 TPMA_OBJECT_RESTRICTED |
127 TPMA_OBJECT_DECRYPT |
128 TPMA_OBJECT_FIXEDTPM |
129 TPMA_OBJECT_FIXEDPARENT |
130 TPMA_OBJECT_SENSITIVEDATAORIGIN),
131 .authPolicy = {
132 .size = 0,
133 },
134 .parameters.rsaDetail = {
135 .symmetric = {
136 .algorithm = TPM2_ALG_AES,
137 .keyBits.aes = 128,
138 .mode.aes = TPM2_ALG_CFB},
139 .scheme = {
140 .scheme = TPM2_ALG_NULL
141 },
142 .keyBits = 2048,
143 .exponent = 0,
144 },
145 .unique.rsa = {
146 .size = 0,
147 .buffer = {},
148 },
149 },
150 };
151 LOG_INFO("\nRSA key will be created.");
152 #endif /* TEST_ECC */
153
154 TPM2B_DATA outsideInfo = {
155 .size = 0,
156 .buffer = {},
157 };
158
159 TPML_PCR_SELECTION creationPCR = {
160 .count = 0,
161 };
162
163 TPM2B_AUTH authValue = {
164 .size = 0,
165 .buffer = {}
166 };
167
168 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
169 goto_if_error(r, "Error: TR_SetAuth", error);
170
171 RSRC_NODE_T *primaryHandle_node = NULL;
172 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
173 ESYS_TR_NONE, ESYS_TR_NONE,
174 &inSensitivePrimary, &inPublic,
175 &outsideInfo, &creationPCR, &primaryHandle,
176 &outPublic, &creationData, &creationHash,
177 &creationTicket);
178 goto_if_error(r, "Error esys create primary", error);
179
180 r = esys_GetResourceObject(esys_context, primaryHandle,
181 &primaryHandle_node);
182 goto_if_error(r, "Error Esys GetResourceObject", error);
183
184 LOG_INFO("Created Primary with handle 0x%08x...",
185 primaryHandle_node->rsrc.handle);
186
187 r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
188 goto_if_error(r, "Error: TR_SetAuth", error);
189
190 TPM2B_AUTH authKey2 = {
191 .size = 6,
192 .buffer = {6, 7, 8, 9, 10, 11}
193 };
194
195 TPM2B_SENSITIVE_CREATE inSensitive2 = {
196 .size = 0,
197 .sensitive = {
198 .userAuth = {
199 .size = 0,
200 .buffer = {0}
201 },
202 .data = {
203 .size = 0,
204 .buffer = {}
205 }
206 }
207 };
208
209 inSensitive2.sensitive.userAuth = authKey2;
210
211 TPM2B_SENSITIVE_CREATE inSensitive3 = {
212 .size = 0,
213 .sensitive = {
214 .userAuth = {
215 .size = 0,
216 .buffer = {}
217 },
218 .data = {
219 .size = 0,
220 .buffer = {}
221 }
222 }
223 };
224
225 TPM2B_PUBLIC inPublic2 = {
226 .size = 0,
227 .publicArea = {
228 .type = TPM2_ALG_RSA,
229 .nameAlg = TPM2_ALG_SHA256,
230 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
231 TPMA_OBJECT_RESTRICTED |
232 TPMA_OBJECT_DECRYPT |
233 TPMA_OBJECT_FIXEDTPM |
234 TPMA_OBJECT_FIXEDPARENT |
235 TPMA_OBJECT_SENSITIVEDATAORIGIN),
236
237 .authPolicy = {
238 .size = 0,
239 },
240 .parameters.rsaDetail = {
241 .symmetric = {
242 .algorithm = TPM2_ALG_AES,
243 .keyBits.aes = 128,
244 .mode.aes = TPM2_ALG_CFB
245 },
246 .scheme = {
247 .scheme =
248 TPM2_ALG_NULL,
249 },
250 .keyBits = 2048,
251 .exponent = 0
252 },
253 .unique.rsa = {
254 .size = 0,
255 .buffer = {}
256 ,
257 }
258 }
259 };
260
261 TPM2B_DATA outsideInfo2 = {
262 .size = 0,
263 .buffer = {}
264 ,
265 };
266
267 TPML_PCR_SELECTION creationPCR2 = {
268 .count = 0,
269 };
270
271 r = Esys_Create(esys_context,
272 primaryHandle,
273 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
274 &inSensitive2,
275 &inPublic2,
276 &outsideInfo2,
277 &creationPCR2,
278 &outPrivate2,
279 &outPublic2,
280 &creationData2, &creationHash2, &creationTicket2);
281 goto_if_error(r, "Error esys create ", error);
282
283 LOG_INFO("\nSecond key created.");
284
285 r = Esys_Load(esys_context,
286 primaryHandle,
287 ESYS_TR_PASSWORD,
288 ESYS_TR_NONE,
289 ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle);
290 goto_if_error(r, "Error esys load ", error);
291
292 LOG_INFO("\nSecond Key loaded.");
293
294 r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2);
295 goto_if_error(r, "Error esys TR_SetAuth ", error);
296
297 Esys_Free(outPublic2);
298 Esys_Free(outPrivate2);
299 Esys_Free(creationData2);
300 Esys_Free(creationHash2);
301 Esys_Free(creationTicket2);
302
303 r = Esys_Create(esys_context,
304 loadedKeyHandle,
305 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
306 &inSensitive3,
307 &inPublic2,
308 &outsideInfo2,
309 &creationPCR2,
310 &outPrivate2,
311 &outPublic2,
312 &creationData2, &creationHash2, &creationTicket2);
313 goto_if_error(r, "Error esys second create ", error);
314
315 r = Esys_FlushContext(esys_context, primaryHandle);
316 primaryHandle = ESYS_TR_NONE;
317 goto_if_error(r, "Error during FlushContext", error);
318
319 r = Esys_FlushContext(esys_context, loadedKeyHandle);
320 loadedKeyHandle = ESYS_TR_NONE;
321 goto_if_error(r, "Error during FlushContext", error);
322
323 Esys_Free(outPublic);
324 Esys_Free(creationData);
325 Esys_Free(creationHash);
326 Esys_Free(creationTicket);
327 Esys_Free(outPublic2);
328 Esys_Free(outPrivate2);
329 Esys_Free(creationData2);
330 Esys_Free(creationHash2);
331 Esys_Free(creationTicket2);
332 return EXIT_SUCCESS;
333
334 error:
335
336 if (loadedKeyHandle != ESYS_TR_NONE) {
337 if (Esys_FlushContext(esys_context, loadedKeyHandle) != TSS2_RC_SUCCESS) {
338 LOG_ERROR("Cleanup loadedKeyHandle failed.");
339 }
340 }
341
342 if (primaryHandle != ESYS_TR_NONE) {
343 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
344 LOG_ERROR("Cleanup primaryHandle failed.");
345 }
346 }
347
348 Esys_Free(outPublic);
349 Esys_Free(creationData);
350 Esys_Free(creationHash);
351 Esys_Free(creationTicket);
352 Esys_Free(outPublic2);
353 Esys_Free(outPrivate2);
354 Esys_Free(creationData2);
355 Esys_Free(creationHash2);
356 Esys_Free(creationTicket2);
357 return EXIT_FAILURE;
358 }
359
360 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)361 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
362 return test_esys_create_password_auth(esys_context);
363 }
364