1 /* SPDX-License-Identifier: BSD-2-Clause */
2
3 #ifdef HAVE_CONFIG_H
4 #include <config.h>
5 #endif
6
7 #include <stdlib.h>
8
9 #include "tss2_esys.h"
10
11 #include "esys_iutil.h"
12 #define LOGMODULE test
13 #include "util/log.h"
14 #include "util/aux_util.h"
15
16 /** This test is intended to test policy authentication for the ESAPI command
17 * Create.
18 *
19 * We start by creating a primary key with a password and policy.
20 * Based in the primary a second key will be created using the prinary key's
21 * policy for authorization.
22 *
23 * Tested ESAPI commands:
24 * - Esys_StartAuthSession() (M)
25 * - Esys_PolicyCommandCode() (M)
26 * - Esys_PolicyGetDigest() (M)
27 * - Esys_FlushContext() (M)
28 * - Esys_CreatePrimary() (M)
29 * - Esys_Create() (M)
30 *
31 * Used compiler defines: TEST_ECC
32 *
33 * @param[in,out] esys_context The ESYS_CONTEXT.
34 * @retval EXIT_FAILURE
35 * @retval EXIT_SUCCESS
36 */
37
38 int
test_esys_create_policy_auth(ESYS_CONTEXT * esys_context)39 test_esys_create_policy_auth(ESYS_CONTEXT * esys_context)
40 {
41 TSS2_RC r;
42 ESYS_TR primaryHandle = ESYS_TR_NONE;
43 ESYS_TR trialHandle = ESYS_TR_NONE;
44 ESYS_TR policyHandle = ESYS_TR_NONE;
45
46 TPM2B_DIGEST *trialDigest = NULL;
47 TPM2B_PUBLIC *outPublic = NULL;
48 TPM2B_PUBLIC *outPublic2 = NULL;
49 TPM2B_PRIVATE *outPrivate2 = NULL;
50
51 TPMT_SYM_DEF policyAlgo = {
52 .algorithm = TPM2_ALG_AES,
53 .keyBits.aes = 128,
54 .mode.aes = TPM2_ALG_CFB,
55 };
56
57 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
58 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
59 NULL, TPM2_SE_TRIAL, &policyAlgo,
60 TPM2_ALG_SHA256, &trialHandle);
61 goto_if_error(r, "Error esys start trial session", error);
62
63 r = Esys_PolicyCommandCode(esys_context, trialHandle, ESYS_TR_NONE,
64 ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Create);
65 goto_if_error(r, "Error esys policy command code", error);
66
67 r = Esys_PolicyGetDigest(esys_context, trialHandle, ESYS_TR_NONE,
68 ESYS_TR_NONE, ESYS_TR_NONE, &trialDigest);
69 goto_if_error(r, "Error esys policy get digest", error);
70
71 r = Esys_FlushContext(esys_context, trialHandle);
72 goto_if_error(r, "Error esys flush context", error);
73
74 TPM2B_AUTH authValuePrimary = {
75 .size = 5,
76 .buffer = {1, 2, 3, 4, 5}
77 };
78
79 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
80 .size = 0,
81 .sensitive = {
82 .userAuth = {
83 .size = 0,
84 .buffer = {0},
85 },
86 .data = {
87 .size = 0,
88 .buffer = {0},
89 },
90 },
91 };
92
93 inSensitivePrimary.sensitive.userAuth = authValuePrimary;
94
95 #ifdef TEST_ECC
96 TPM2B_PUBLIC inPublic = {
97 .size = 0,
98 .publicArea = {
99 .type = TPM2_ALG_ECC,
100 .nameAlg = TPM2_ALG_SHA256,
101 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
102 TPMA_OBJECT_RESTRICTED |
103 TPMA_OBJECT_DECRYPT |
104 TPMA_OBJECT_FIXEDTPM |
105 TPMA_OBJECT_FIXEDPARENT |
106 TPMA_OBJECT_SENSITIVEDATAORIGIN),
107 .authPolicy = *trialDigest,
108 .parameters.eccDetail = {
109 .symmetric = {
110 .algorithm = TPM2_ALG_NULL,
111 .keyBits.aes = 128,
112 .mode.aes = TPM2_ALG_CFB,
113 },
114 .scheme = {
115 .scheme = TPM2_ALG_ECDSA,
116 .details = {
117 .ecdsa = {.hashAlg = TPM2_ALG_SHA256}},
118 },
119 .curveID = TPM2_ECC_NIST_P256,
120 .kdf = {
121 .scheme = TPM2_ALG_NULL,
122 .details = {}}
123 },
124 .unique.ecc = {
125 .x = {.size = 0,.buffer = {}},
126 .y = {.size = 0,.buffer = {}},
127 },
128 },
129 };
130 LOG_INFO("\nECC key will be created.");
131 #else
132 TPM2B_PUBLIC inPublic = {
133 .size = 0,
134 .publicArea = {
135 .type = TPM2_ALG_RSA,
136 .nameAlg = TPM2_ALG_SHA256,
137 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
138 TPMA_OBJECT_RESTRICTED |
139 TPMA_OBJECT_DECRYPT |
140 TPMA_OBJECT_FIXEDTPM |
141 TPMA_OBJECT_FIXEDPARENT |
142 TPMA_OBJECT_SENSITIVEDATAORIGIN),
143 .authPolicy = *trialDigest,
144 .parameters.rsaDetail = {
145 .symmetric = {
146 .algorithm = TPM2_ALG_AES,
147 .keyBits.aes = 128,
148 .mode.aes = TPM2_ALG_CFB},
149 .scheme = {
150 .scheme = TPM2_ALG_NULL
151 },
152 .keyBits = 2048,
153 .exponent = 0,
154 },
155 .unique.rsa = {
156 .size = 0,
157 .buffer = {},
158 },
159 },
160 };
161 LOG_INFO("\nRSA key will be created.");
162 #endif /* TEST_ECC */
163
164 TPM2B_DATA outsideInfo = {
165 .size = 0,
166 .buffer = {},
167 };
168
169 TPML_PCR_SELECTION creationPCR = {
170 .count = 0,
171 };
172
173 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
174 ESYS_TR_NONE, ESYS_TR_NONE,
175 &inSensitivePrimary, &inPublic,
176 &outsideInfo, &creationPCR, &primaryHandle,
177 &outPublic, NULL, NULL, NULL);
178 goto_if_error(r, "Error esys create primary", error);
179
180 LOG_INFO("Created Primary Key");
181
182 r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
183 goto_if_error(r, "Error: TR_SetAuth", error);
184
185 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
186 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
187 NULL, TPM2_SE_POLICY, &policyAlgo,
188 TPM2_ALG_SHA256, &policyHandle);
189 goto_if_error(r, "Error esys start policy session", error);
190
191 r = Esys_PolicyCommandCode(esys_context, policyHandle, ESYS_TR_NONE,
192 ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Create);
193 goto_if_error(r, "Error esys policy command code", error);
194
195 TPM2B_SENSITIVE_CREATE inSensitive2 = {
196 .size = 0,
197 .sensitive = {
198 .userAuth = {
199 .size = 0,
200 .buffer = {0}
201 },
202 .data = {
203 .size = 0,
204 .buffer = {0}
205 }
206 }
207 };
208
209 TPM2B_PUBLIC inPublic2 = {
210 .size = 0,
211 .publicArea = {
212 .type = TPM2_ALG_RSA,
213 .nameAlg = TPM2_ALG_SHA256,
214 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
215 TPMA_OBJECT_RESTRICTED |
216 TPMA_OBJECT_DECRYPT |
217 TPMA_OBJECT_FIXEDTPM |
218 TPMA_OBJECT_FIXEDPARENT |
219 TPMA_OBJECT_SENSITIVEDATAORIGIN),
220
221 .authPolicy = {
222 .size = 0,
223 },
224 .parameters.rsaDetail = {
225 .symmetric = {
226 .algorithm = TPM2_ALG_AES,
227 .keyBits.aes = 128,
228 .mode.aes = TPM2_ALG_CFB
229 },
230 .scheme = {
231 .scheme =
232 TPM2_ALG_NULL,
233 },
234 .keyBits = 2048,
235 .exponent = 0
236 },
237 .unique.rsa = {
238 .size = 0,
239 .buffer = {}
240 ,
241 }
242 }
243 };
244
245 TPM2B_DATA outsideInfo2 = {
246 .size = 0,
247 .buffer = {}
248 ,
249 };
250
251 TPML_PCR_SELECTION creationPCR2 = {
252 .count = 0,
253 };
254
255 r = Esys_Create(esys_context, primaryHandle, policyHandle, ESYS_TR_NONE,
256 ESYS_TR_NONE, &inSensitive2, &inPublic2, &outsideInfo2,
257 &creationPCR2, &outPrivate2, &outPublic2, NULL, NULL, NULL);
258 goto_if_error(r, "Error esys create ", error);
259
260 LOG_INFO("\nSecond key created.");
261
262 r = Esys_FlushContext(esys_context, policyHandle);
263 policyHandle = ESYS_TR_NONE;
264 goto_if_error(r, "Error during FlushContext", error);
265
266 r = Esys_FlushContext(esys_context, primaryHandle);
267 primaryHandle = ESYS_TR_NONE;
268 goto_if_error(r, "Error during FlushContext", error);
269
270 Esys_Free(trialDigest);
271 Esys_Free(outPublic);
272 Esys_Free(outPublic2);
273 Esys_Free(outPrivate2);
274 return EXIT_SUCCESS;
275
276 error:
277
278 if (trialHandle != ESYS_TR_NONE) {
279 if (Esys_FlushContext(esys_context, trialHandle) != TSS2_RC_SUCCESS) {
280 LOG_ERROR("Cleanup trialHandle failed.");
281 }
282 }
283
284 if (policyHandle != ESYS_TR_NONE) {
285 if (Esys_FlushContext(esys_context, policyHandle) != TSS2_RC_SUCCESS) {
286 LOG_ERROR("Cleanup policyHandle failed.");
287 }
288 }
289
290 if (primaryHandle != ESYS_TR_NONE) {
291 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
292 LOG_ERROR("Cleanup primaryHandle failed.");
293 }
294 }
295
296 Esys_Free(trialDigest);
297 Esys_Free(outPublic);
298 Esys_Free(outPublic2);
299 Esys_Free(outPrivate2);
300 return EXIT_FAILURE;
301 }
302
303 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)304 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
305 return test_esys_create_policy_auth(esys_context);
306 }
307