1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_fapi.h"
14
15 #include "test-fapi.h"
16 #include "fapi_util.h"
17 #include "fapi_int.h"
18
19 #include "esys_iutil.h"
20 #define LOGMODULE test
21 #include "util/log.h"
22 #include "util/aux_util.h"
23
24 #define PASSWORD "abc"
25 #define SIGN_TEMPLATE "sign,noDa"
26
27 static TSS2_RC
auth_callback(FAPI_CONTEXT * context,char const * description,char ** auth,void * userData)28 auth_callback(
29 FAPI_CONTEXT *context,
30 char const *description,
31 char **auth,
32 void *userData)
33 {
34 (void)description;
35 (void)userData;
36 char *pw = PASSWORD;
37 if (!pw)
38 return TSS2_FAPI_RC_GENERAL_FAILURE;
39
40 *auth = strdup(pw);
41 return TSS2_RC_SUCCESS;
42 }
43
44 /** Test the FAPI functions for key creation and usage with an SH password.
45 *
46 * Tested FAPI commands:
47 * - Fapi_Provision()
48 * - Fapi_SetAuthCB()
49 * - Fapi_CreateKey()
50 * - Fapi_GetTpmBlobs()
51 * - Fapi_Sign()
52 * - Fapi_SetCertificate()
53 * - Fapi_List()
54 * - Fapi_ChangeAuth()
55 * - Fapi_Delete()
56 *
57 * @param[in,out] context The FAPI_CONTEXT.
58 * @retval EXIT_FAILURE
59 * @retval EXIT_SUCCESS
60 */
61 int
test_fapi_key_create_sign_password_provision(FAPI_CONTEXT * context)62 test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context)
63 {
64 TSS2_RC r;
65 char *sigscheme = NULL;
66 uint8_t *publicblob = NULL;
67 uint8_t *privateblob = NULL;
68 uint8_t *signature = NULL;
69 char *publicKey = NULL;
70 char *path_list = NULL;
71
72 size_t publicsize;
73 size_t privatesize;
74
75 const char *cert =
76 "-----BEGIN CERTIFICATE-----\n"
77 "MIIDBjCCAe4CCQDcvXBOEVM0UTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE\n"
78 "RTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n"
79 "cyBQdHkgTHRkMB4XDTE5MDIyODEwNDkyM1oXDTM1MDgyNzEwNDkyM1owRTELMAkG\n"
80 "A1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\n"
81 "IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
82 "AKBi+iKwkgM55iCMwXrLCJlu7TzlMu/LlkyGrm99ip2B5+/Cl6a62d8pKelg6zkH\n"
83 "jI7+AAPteJiW4O+2qVWF8hJ5BXTjGtYbM0iZ6enCb8eyC54C7xVMc21ZIv3ob4Et\n"
84 "50ZOuzY2pfpzE3vIaXt1CkHlfyI/hdK+mM/dVvuCz5p3AIlHrEWS3rSNgWbCsB2E\n"
85 "TM55qSGKaLmtTbUvEKRF0TJrFLntfXkv10QD5pgn52+QV9k59OogqZOsDvkXzKPX\n"
86 "rXF+XC0gLiGBEGAr1dv9F03xMOtO77bQTdGOeC61Tip6Nb0V3ebMckZXwdFi+Nhe\n"
87 "FRuU33CaObtV6u5PZvSue/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcamUPe8I\n"
88 "nMOHcv9x5lVN1joihVRmKc0QqNLFc6XpJY8+U5rGkZvOcDe9Da8L97wDNXpKmU/q\n"
89 "pprj3rT8l3v0Z5xs8Vdr8lxS6T5NhqQV0UCsn1x14gZJcE48y9/LazYi6Zcar+BX\n"
90 "Am4vewAV3HmQ8X2EctsRhXe4wlAq4slIfEWaaofa8ai7BzO9KwpMLsGPWoNetkB9\n"
91 "19+SFt0lFFOj/6vDw5pCpSd1nQlo1ug69mJYSX/wcGkV4t4LfGhV8jRPDsGs6I5n\n"
92 "ETHSN5KV1XCPYJmRCjFY7sIt1x4zN7JJRO9DVw+YheIlduVfkBiF+GlQgLlFTjrJ\n"
93 "VrpSGMIFSu301A==\n"
94 "-----END CERTIFICATE-----\n";
95
96 if (strcmp("P_ECC", fapi_profile) != 0)
97 sigscheme = "RSA_PSS";
98
99 /* We need to reset the passwords again, in order to not brick physical TPMs */
100 r = Fapi_Provision(context, NULL, PASSWORD, NULL);
101 goto_if_error(r, "Error Fapi_Provision", error);
102
103 r = Fapi_SetAuthCB(context, auth_callback, NULL);
104 goto_if_error(r, "Error SetPolicyAuthCallback", error);
105
106 r = Fapi_CreateKey(context, "HS/SRK/mySignKey", SIGN_TEMPLATE, "",
107 PASSWORD);
108
109 goto_if_error(r, "Error Fapi_CreateKey", error);
110 size_t signatureSize = 0;
111
112 TPM2B_DIGEST digest = {
113 .size = 20,
114 .buffer = {
115 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
116 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
117 }
118 };
119
120 r = Fapi_GetTpmBlobs(context, "HS/SRK/mySignKey", &publicblob,
121 &publicsize,
122 &privateblob, &privatesize, NULL);
123 goto_if_error(r, "Error Fapi_GetTpmBlobs", error);
124
125 r = Fapi_Sign(context, "HS/SRK/mySignKey", sigscheme,
126 &digest.buffer[0], digest.size, &signature, &signatureSize,
127 &publicKey, NULL);
128 goto_if_error(r, "Error Fapi_Sign", error);
129
130 r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", cert);
131 goto_if_error(r, "Error Fapi_SetCertificate", error);
132
133 r = Fapi_List(context, "/", &path_list);
134 goto_if_error(r, "Error Fapi_Delete", error);
135
136 fprintf(stderr, "\nPathList:\n%s\n", path_list);
137
138 /* We need to reset the passwords again, in order to not brick physical TPMs */
139 r = Fapi_ChangeAuth(context, "/HS", NULL);
140 goto_if_error(r, "Error Fapi_ChangeAuth", error);
141
142 r = Fapi_Delete(context, "/");
143 goto_if_error(r, "Error Fapi_Delete", error);
144
145 SAFE_FREE(publicblob);
146 SAFE_FREE(privateblob);
147 SAFE_FREE(signature);
148 SAFE_FREE(publicKey);
149 SAFE_FREE(path_list);
150 return EXIT_SUCCESS;
151
152 error:
153 Fapi_Delete(context, "/HS/SRK");
154 SAFE_FREE(publicblob);
155 SAFE_FREE(privateblob);
156 SAFE_FREE(signature);
157 SAFE_FREE(publicKey);
158 SAFE_FREE(path_list);
159 return EXIT_FAILURE;
160 }
161
162 int
test_invoke_fapi(FAPI_CONTEXT * fapi_context)163 test_invoke_fapi(FAPI_CONTEXT *fapi_context)
164 {
165 return test_fapi_key_create_sign_password_provision(fapi_context);
166 }
167