xref: /aosp_15_r20/external/tpm2-tss/test/integration/fapi-key-create-policy-signed.int.c (revision 758e9fba6fc9adbf15340f70c73baee7b168b1c9)
1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3  * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4  * All rights reserved.
5  *******************************************************************************/
6 
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10 
11 #include <stdlib.h>
12 #include <stdio.h>
13 #include <string.h>
14 #include <errno.h>
15 #include <fcntl.h>
16 #include <unistd.h>
17 
18 #include <openssl/evp.h>
19 #include <openssl/rsa.h>
20 #include <openssl/engine.h>
21 #include <openssl/pem.h>
22 
23 #include "tss2_fapi.h"
24 
25 #include "test-fapi.h"
26 #define LOGMODULE test
27 #include "util/log.h"
28 #include "util/aux_util.h"
29 
30 #ifdef TEST_ECC
31 const char *priv_pem =
32     "-----BEGIN EC PRIVATE KEY-----\n"
33     "MHcCAQEEILE8jic/6w/lKoFTVblkNQ4Ls5IYibQNQ4Dk5B9R09ONoAoGCCqGSM49\n"
34     "AwEHoUQDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7pEiLMi03Jd0oP0aYnnXFjolz\n"
35     "IB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n"
36     "-----END EC PRIVATE KEY-----\n";
37 
38 const char *pub_pem =
39    "-----BEGIN PUBLIC KEY-----\n"
40     "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoJTa3zftdAzHC96IjpqQ/dnLm+p7\n"
41     "pEiLMi03Jd0oP0aYnnXFjolzIB/dBZ/t+BLh0PwLM5aAM/jugeLkHgpIyQ==\n"
42     "-----END PUBLIC KEY-----\n";
43 #else
44 const char *priv_pem =
45     "-----BEGIN PRIVATE KEY-----\n"
46     "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCgYvoisJIDOeYg\n"
47     "jMF6ywiZbu085TLvy5ZMhq5vfYqdgefvwpemutnfKSnpYOs5B4yO/gAD7XiYluDv\n"
48     "tqlVhfISeQV04xrWGzNImenpwm/HsgueAu8VTHNtWSL96G+BLedGTrs2NqX6cxN7\n"
49     "yGl7dQpB5X8iP4XSvpjP3Vb7gs+adwCJR6xFkt60jYFmwrAdhEzOeakhimi5rU21\n"
50     "LxCkRdEyaxS57X15L9dEA+aYJ+dvkFfZOfTqIKmTrA75F8yj161xflwtIC4hgRBg\n"
51     "K9Xb/RdN8TDrTu+20E3RjngutU4qejW9Fd3mzHJGV8HRYvjYXhUblN9wmjm7Veru\n"
52     "T2b0rnvzAgMBAAECggEBAIwHvoJ5DRJ6A50Zp3dROxHTEphfOEi6xF/OGxBGWLbK\n"
53     "C7l+eS9d5gj8BJa5QsXI/IR/6X2EYQ1AdeV04oVD7CUKuqPiALU8jFrv3pV0aGm+\n"
54     "3nu37gv3crPe5jkvLeNoM4tkA/oCXom63SDuyoG6nxkHiSdatLlaJUse4em3vRAL\n"
55     "QivziZIMyswcleMe0xAoMi7LO+nUFFxBS8/xGya0vsU0dsMQEl1SRITv1VCXmPQD\n"
56     "T4dEI4+1cufv6Ax0EDbFKmnjyiGTjOeQKrGIqETUSQolbg5PgL1XZehaaxM822OY\n"
57     "Qpnp5T0XhUEmVrOb2Wrboj+dC/2tgAN/fWXjAAxnm2ECgYEA02UTZuZ+QnD6tqo3\n"
58     "/y3n5kaM9uA2mdOIqgECI9psGF1IBIC/iP2diKyuvmQL8hzymComb5YzZl3TOAga\n"
59     "WHQYbIeU3JhnYTG75/Dv5Zh32H4NjkIJHT2/8LUM25Ove9u6QAniVgIQpBZ47LjX\n"
60     "9jHjTYCW5n79qNSfu0egYJUvypECgYEAwjqWzzEINqnX/xIVCoB4XpuDuSdkM0JW\n"
61     "MZDIH9xHjZPp07/5XYEoITylk6Zwbh+djvWDNP4gzPtuK26VsqrNxoWMsFZeXn6U\n"
62     "xSOYL2UNCZiOgchdZCOr+6r8LRUuo8xHjbawVoJVK1+tZ2WsR3ilt3Gw34O8Z5ep\n"
63     "f4v7GOXw+EMCgYAUHjFrgJIRhqkFi0uK+HZyXtJ5iDsKBqyh6Tin6tiQtQfujcYs\n"
64     "pl5ArJZwvhq47vJTcud3hSbdHh7E3ViMhHfylDChkct833vPhgl+ozT8oHpvyG8P\n"
65     "nlnO8ZwIpZR0yCOAhrBImSe2RgE6HhlHb9X/ATbbNsizMZEGBLoJlwkWUQKBgQCy\n"
66     "4U7fh2LvJUF+82JZh7RUPZn1Pmg0JVZI0/TcEv37UEy77kR1b2xMIBTGhTVq1sc/\n"
67     "ULIEbkA7SR1P9sr7//8AZSMLjJ/hG2dcoMmabNCzE8O7l5MblRbh87nIs4d+57bG\n"
68     "t4h0RBi4l6eWYLdoI59L8fNaB3PPXIiIpZ0eczeZDQKBgQC2vuFYpUZqDb9CaJsn\n"
69     "Luee6P6n5v3ZBTAT4E+GG1kWS28BiebcCuLKNAY4ZtLo08ozaTWcMxooOTeka2ux\n"
70     "fQDE4M/LTNpam8QOJ2hqECF5a0uBYNcbmaGtfA9KwIgwCZZYuwb5IDq/DRPuR690\n"
71     "i8Kp6jR2wY0suObmZHKvbCB1Dw==\n"
72     "-----END PRIVATE KEY-----\n";
73 
74 const char *pub_pem =
75     "-----BEGIN PUBLIC KEY-----\n"
76     "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\n"
77     "mW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy\n"
78     "EnkFdOMa1hszSJnp6cJvx7ILngLvFUxzbVki/ehvgS3nRk67Njal+nMTe8hpe3UK\n"
79     "QeV/Ij+F0r6Yz91W+4LPmncAiUesRZLetI2BZsKwHYRMznmpIYpoua1NtS8QpEXR\n"
80     "MmsUue19eS/XRAPmmCfnb5BX2Tn06iCpk6wO+RfMo9etcX5cLSAuIYEQYCvV2/0X\n"
81     "TfEw607vttBN0Y54LrVOKno1vRXd5sxyRlfB0WL42F4VG5TfcJo5u1Xq7k9m9K57\n"
82     "8wIDAQAB\n"
83     "-----END PUBLIC KEY-----\n";
84 #endif /* TEST_ECC */
85 
86 #define RSA_SIG_SCHEME RSA_PKCS1_PSS_PADDING
87 
88 char *userDataTest = "test";
89 
90 #define chknull(X) if (!X) { LOG_ERROR(str(X) "should not be null"); \
91                              r = TSS2_FAPI_RC_GENERAL_FAILURE; \
92                              goto error_cleanup; }
93 
94 static TSS2_RC
signatureCallback(FAPI_CONTEXT * context,char const * description,char const * publicKey,char const * publicKeyHint,uint32_t hashAlg,uint8_t const * dataToSign,size_t dataToSignSize,uint8_t ** signature,size_t * signatureSize,void * userData)95 signatureCallback(
96     FAPI_CONTEXT  *context,
97     char    const *description,
98     char    const *publicKey,
99     char    const *publicKeyHint,
100     uint32_t       hashAlg,
101     uint8_t const *dataToSign,
102     size_t         dataToSignSize,
103     uint8_t      **signature,
104     size_t        *signatureSize,
105     void          *userData)
106 {
107     (void)description;
108     (void)publicKey;
109     (void)publicKeyHint;
110 
111     if (userData != userDataTest) {
112         LOG_ERROR("userData is not correct, %p != %p", userData, userDataTest);
113         return TSS2_FAPI_RC_GENERAL_FAILURE;
114     }
115 
116     if (hashAlg != TPM2_ALG_SHA1) {
117         LOG_ERROR("hashAlg is not correct, %u != %u", hashAlg, TPM2_ALG_SHA256);
118         return TSS2_FAPI_RC_GENERAL_FAILURE;
119     }
120 
121     TSS2_RC r = TSS2_RC_SUCCESS;
122     EVP_PKEY *priv_key = NULL;
123     BIO *bufio = NULL;
124     EVP_MD_CTX *mdctx = NULL;
125     EVP_PKEY_CTX *pctx = NULL;
126 
127     const EVP_MD *ossl_hash = EVP_sha1();
128     chknull(ossl_hash);
129 
130     LOGBLOB_DEBUG(dataToSign, dataToSignSize, "Data to be signed");
131 
132     bufio = BIO_new_mem_buf((void *)priv_pem, strlen(priv_pem));
133     priv_key = PEM_read_bio_PrivateKey(bufio, NULL, NULL, NULL);
134     chknull(priv_key);
135 
136     mdctx = EVP_MD_CTX_create();
137     chknull(mdctx);
138 
139     if (1 != EVP_DigestSignInit(mdctx, &pctx, NULL, NULL, priv_key)) {
140         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL digest sign init.",
141                    error_cleanup);
142     }
143     if (EVP_PKEY_type(EVP_PKEY_id(priv_key)) == EVP_PKEY_RSA) {
144         int signing_scheme = RSA_SIG_SCHEME;
145         if (1 != EVP_PKEY_CTX_set_rsa_padding(pctx, signing_scheme)) {
146             goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL set RSA padding.",
147                        error_cleanup);
148         }
149     }
150     if (1 != EVP_DigestSignInit(mdctx, &pctx, ossl_hash, NULL, priv_key)) {
151         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign init.",
152                    error_cleanup);
153     }
154     if (1 != EVP_DigestSignUpdate(mdctx, dataToSign, dataToSignSize)) {
155         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign update.",
156                    error_cleanup);
157     }
158     if (1 != EVP_DigestSignFinal(mdctx, NULL, signatureSize)) {
159         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign final.",
160                    error_cleanup);
161     }
162     *signature = malloc(*signatureSize);
163     chknull(*signature);
164     if (1 != EVP_DigestSignFinal(mdctx, *signature, signatureSize)) {
165         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "OSSL sign final.",
166                    error_cleanup);
167     }
168 error_cleanup:
169     if (priv_key)
170         EVP_PKEY_free(priv_key);
171     if (bufio)
172         BIO_free(bufio);
173     if (mdctx)
174         EVP_MD_CTX_destroy(mdctx);
175     return r;
176 }
177 
178 #define PASSWORD NULL
179 
180 #define SIGN_TEMPLATE  "sign,noDa"
181 
182 /** Test the FAPI functions for key creation and usage with a PolicySigned.
183  *
184  * Tested FAPI commands:
185  *  - Fapi_Provision()
186  *  - Fapi_Import()
187  *  - Fapi_CreateKey()
188  *  - Fapi_SetSignCB()
189  *  - Fapi_Sign()
190  *  - Fapi_Delete()
191  *  - Fapi_List()
192  *
193  * Tested Policies:
194  *  - PolicySigned
195  *
196  * @param[in,out] context The FAPI_CONTEXT.
197  * @retval EXIT_FAILURE
198  * @retval EXIT_SUCCESS
199  */
200 int
test_fapi_key_create_policy_signed(FAPI_CONTEXT * context)201 test_fapi_key_create_policy_signed(FAPI_CONTEXT *context)
202 {
203     TSS2_RC r;
204 #ifdef TEST_ECC
205     char *policy_name = "/policy/pol_signed_ecc";
206     char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_signed_ecc.json";
207 #else
208     char *policy_name = "/policy/pol_signed";
209     char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_signed.json";
210 #endif
211     FILE *stream = NULL;
212     char *json_policy = NULL;
213     long policy_size;
214 
215     uint8_t *signature = NULL;
216     char    *publicKey = NULL;
217     char  *pathList = NULL;
218 
219     r = Fapi_Provision(context, NULL, NULL, NULL);
220     goto_if_error(r, "Error Fapi_Provision", error);
221 
222     r = pcr_reset(context, 16);
223     goto_if_error(r, "Error pcr_reset", error);
224 
225     stream = fopen(policy_file, "r");
226     if (!stream) {
227         LOG_ERROR("File %s does not exist", policy_file);
228         goto error;
229     }
230     fseek(stream, 0L, SEEK_END);
231     policy_size = ftell(stream);
232     fclose(stream);
233     json_policy = malloc(policy_size + 1);
234 		goto_if_null(json_policy,
235 				"Could not allocate memory for the JSON policy",
236 				TSS2_FAPI_RC_MEMORY, error);
237     stream = fopen(policy_file, "r");
238     ssize_t ret = read(fileno(stream), json_policy, policy_size);
239     if (ret != policy_size) {
240         LOG_ERROR("IO error %s.", policy_file);
241         goto error;
242     }
243     json_policy[policy_size] = '\0';
244 
245     r = Fapi_Import(context, policy_name, json_policy);
246     goto_if_error(r, "Error Fapi_Import", error);
247 
248     r = Fapi_CreateKey(context, "/HS/SRK/mySignKey", SIGN_TEMPLATE,
249                        policy_name, PASSWORD);
250     goto_if_error(r, "Error Fapi_CreateKey", error);
251     size_t signatureSize = 0;
252 
253     TPM2B_DIGEST digest = {
254         .size = 20,
255         .buffer = {
256             0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
257             0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
258         }
259     };
260 
261     r = Fapi_SetSignCB(context, signatureCallback, userDataTest);
262     goto_if_error(r, "Error SetPolicySignatureCallback", error);
263 
264     r = Fapi_Sign(context, "/HS/SRK/mySignKey", NULL,
265                   &digest.buffer[0], digest.size, &signature, &signatureSize,
266                   &publicKey, NULL);
267     goto_if_error(r, "Error Fapi_Sign", error);
268 
269     r = Fapi_Delete(context, "/HS/SRK");
270     goto_if_error(r, "Error Fapi_Delete", error);
271 
272     r = Fapi_List(context, "/", &pathList);
273     goto_if_error(r, "Error Fapi_List", error);
274 
275     fprintf(stderr, "\n%s\n", pathList);
276 
277     fclose(stream);
278     SAFE_FREE(json_policy);
279     SAFE_FREE(signature);
280     SAFE_FREE(publicKey);
281     SAFE_FREE(pathList);
282     return EXIT_SUCCESS;
283 
284 error:
285     SAFE_FREE(json_policy);
286     SAFE_FREE(signature);
287     SAFE_FREE(publicKey);
288     SAFE_FREE(pathList);
289     return EXIT_FAILURE;
290 }
291 
292 int
test_invoke_fapi(FAPI_CONTEXT * fapi_context)293 test_invoke_fapi(FAPI_CONTEXT *fapi_context)
294 {
295     return test_fapi_key_create_policy_signed(fapi_context);
296 }
297