1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14 #include "tss2_mu.h"
15
16 #include "esys_iutil.h"
17 #define LOGMODULE test
18 #include "util/log.h"
19 #include "util/aux_util.h"
20
21 /** This test is intended to test the ESAPI commands Duplicate and Import.
22 *
23 * We start by creating a primary key (Esys_CreatePrimary).
24 * This primary key will be used as parent key for the Duplicate
25 * command. A second primary key will be the parent key of the
26 * duplicated key. In the last step the key is imported with the
27 * first primary key as parent key (Esys_Import).
28 *
29 * Tested ESAPI commands:
30 * - Esys_Create() (M)
31 * - Esys_CreatePrimary() (M)
32 * - Esys_Duplicate() (M)
33 * - Esys_FlushContext() (M)
34 * - Esys_Import() (M)
35 * - Esys_Load() (M)
36 * - Esys_PolicyAuthValue() (M)
37 * - Esys_PolicyCommandCode() (M)
38 * - Esys_PolicyGetDigest() (M)
39 * - Esys_ReadPublic() (M)
40 * - Esys_StartAuthSession() (M)
41 *
42 * @param[in,out] esys_context The ESYS_CONTEXT.
43 * @retval EXIT_FAILURE
44 * @retval EXIT_SUCCESS
45 */
46
47 int
test_esys_import(ESYS_CONTEXT * esys_context)48 test_esys_import(ESYS_CONTEXT * esys_context)
49 {
50 TSS2_RC r;
51 ESYS_TR primaryHandle = ESYS_TR_NONE;
52 ESYS_TR primaryHandle2 = ESYS_TR_NONE;
53 ESYS_TR loadedKeyHandle = ESYS_TR_NONE;
54 ESYS_TR policySession = ESYS_TR_NONE;
55
56 TPM2B_DIGEST *policyDigestTrial = NULL;
57 TPM2B_PUBLIC *outPublic = NULL;
58 TPM2B_CREATION_DATA *creationData = NULL;
59 TPM2B_DIGEST *creationHash = NULL;
60 TPMT_TK_CREATION *creationTicket = NULL;
61
62 TPM2B_PUBLIC *outPublic2 = NULL;
63 TPM2B_PRIVATE *outPrivate2 = NULL;
64 TPM2B_CREATION_DATA *creationData2 = NULL;
65 TPM2B_DIGEST *creationHash2 = NULL;
66 TPMT_TK_CREATION *creationTicket2 = NULL;
67
68 TPM2B_DATA *encryptionKeyOut = NULL;
69 TPM2B_PRIVATE *duplicate = NULL;
70 TPM2B_ENCRYPTED_SECRET *outSymSeed = NULL;
71
72 TPM2B_PUBLIC *keyPublic = NULL;
73 TPM2B_NAME *keyName = NULL;
74 TPM2B_NAME *keyQualifiedName = NULL;
75
76 TPM2B_NAME *nameKeySign = NULL;
77 TPM2B_PRIVATE *outPrivate = NULL;
78
79 /*
80 * Firth the policy value to be able to use Esys_Duplicate for an object has to be
81 * determined with a policy trial session.
82 */
83 ESYS_TR sessionTrial = ESYS_TR_NONE;
84 TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES,
85 .keyBits = {.aes = 128},
86 .mode = {.aes = TPM2_ALG_CFB}
87 };
88 TPM2B_NONCE nonceCallerTrial = {
89 .size = 20,
90 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
91 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
92 };
93
94 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
95 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
96 &nonceCallerTrial,
97 TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1,
98 &sessionTrial);
99 goto_if_error(r, "Error: During initialization of policy trial session", error);
100
101 r = Esys_PolicyAuthValue(esys_context,
102 sessionTrial,
103 ESYS_TR_NONE,
104 ESYS_TR_NONE,
105 ESYS_TR_NONE
106 );
107 goto_if_error(r, "Error: PolicyAuthValue", error);
108
109 r = Esys_PolicyCommandCode(esys_context,
110 sessionTrial,
111 ESYS_TR_NONE,
112 ESYS_TR_NONE,
113 ESYS_TR_NONE,
114 TPM2_CC_Duplicate
115 );
116 goto_if_error(r, "Error: PolicyCommandCode", error);
117
118 r = Esys_PolicyGetDigest(esys_context,
119 sessionTrial,
120 ESYS_TR_NONE,
121 ESYS_TR_NONE,
122 ESYS_TR_NONE,
123 &policyDigestTrial
124 );
125 goto_if_error(r, "Error: PolicyGetDigest", error);
126
127 TPM2B_AUTH authValuePrimary = {
128 .size = 5,
129 .buffer = {1, 2, 3, 4, 5}
130 };
131
132 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
133 .size = 0,
134 .sensitive = {
135 .userAuth = {
136 .size = 0,
137 .buffer = {0 },
138 },
139 .data = {
140 .size = 0,
141 .buffer = {0},
142 },
143 },
144 };
145
146 inSensitivePrimary.sensitive.userAuth = authValuePrimary;
147
148 TPM2B_PUBLIC inPublic = {
149 .size = 0,
150 .publicArea = {
151 .type = TPM2_ALG_RSA,
152 .nameAlg = TPM2_ALG_SHA1,
153 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
154 TPMA_OBJECT_RESTRICTED |
155 TPMA_OBJECT_DECRYPT |
156 TPMA_OBJECT_FIXEDTPM |
157 TPMA_OBJECT_FIXEDPARENT |
158 TPMA_OBJECT_SENSITIVEDATAORIGIN),
159 .authPolicy = {
160 .size = 0,
161 },
162 .parameters.rsaDetail = {
163 .symmetric = {
164 .algorithm = TPM2_ALG_AES,
165 .keyBits.aes = 128,
166 .mode.aes = TPM2_ALG_CFB},
167 .scheme = {
168 .scheme = TPM2_ALG_NULL
169 },
170 .keyBits = 2048,
171 .exponent = 0,
172 },
173 .unique.rsa = {
174 .size = 0,
175 .buffer = {},
176 },
177 },
178 };
179 LOG_INFO("\nRSA key will be created.");
180 TPM2B_DATA outsideInfo = {
181 .size = 0,
182 .buffer = {},
183 };
184
185 TPML_PCR_SELECTION creationPCR = {
186 .count = 0,
187 };
188
189 TPM2B_AUTH authValue = {
190 .size = 0,
191 .buffer = {}
192 };
193
194 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
195 goto_if_error(r, "Error: TR_SetAuth", error);
196
197 RSRC_NODE_T *primaryHandle_node;
198
199 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
200 ESYS_TR_NONE, ESYS_TR_NONE,
201 &inSensitivePrimary, &inPublic,
202 &outsideInfo, &creationPCR, &primaryHandle,
203 &outPublic, &creationData, &creationHash,
204 &creationTicket);
205 goto_if_error(r, "Error esys create primary", error);
206
207 Esys_Free(outPublic);
208 Esys_Free(creationData);
209 Esys_Free(creationHash);
210 Esys_Free(creationTicket);
211
212 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
213 ESYS_TR_NONE, ESYS_TR_NONE,
214 &inSensitivePrimary, &inPublic,
215 &outsideInfo, &creationPCR, &primaryHandle2,
216 &outPublic, &creationData, &creationHash,
217 &creationTicket);
218 goto_if_error(r, "Error esys create primary", error);
219
220 r = esys_GetResourceObject(esys_context, primaryHandle,
221 &primaryHandle_node);
222 goto_if_error(r, "Error Esys GetResourceObject", error);
223
224 LOG_INFO("Created Primary with handle 0x%08x...",
225 primaryHandle_node->rsrc.handle);
226
227 r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
228 goto_if_error(r, "Error: TR_SetAuth", error);
229
230 TPM2B_AUTH authKey2 = {
231 .size = 6,
232 .buffer = {6, 7, 8, 9, 10, 11}
233 };
234
235 TPM2B_SENSITIVE_CREATE inSensitive2 = {
236 .size = 0,
237 .sensitive = {
238 .userAuth = {
239 .size = 0,
240 .buffer = {0}
241 },
242 .data = {
243 .size = 0,
244 .buffer = {}
245 }
246 }
247 };
248
249 inSensitive2.sensitive.userAuth = authKey2;
250
251 TPM2B_PUBLIC inPublic2 = {
252 .size = 0,
253 .publicArea = {
254 .type = TPM2_ALG_RSA,
255 .nameAlg = TPM2_ALG_SHA1,
256 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
257 TPMA_OBJECT_RESTRICTED |
258 TPMA_OBJECT_DECRYPT |
259 TPMA_OBJECT_SENSITIVEDATAORIGIN),
260
261 .authPolicy = {
262 .size = 0,
263 },
264 .parameters.rsaDetail = {
265 .symmetric = {
266 .algorithm = TPM2_ALG_AES,
267 .keyBits.aes = 128,
268 .mode.aes = TPM2_ALG_CFB
269 },
270 .scheme = {
271 .scheme =
272 TPM2_ALG_NULL,
273 },
274 .keyBits = 2048,
275 .exponent = 0
276 },
277 .unique.rsa = {
278 .size = 0,
279 .buffer = {}
280 ,
281 }
282 }
283 };
284
285 TPM2B_DATA outsideInfo2 = {
286 .size = 0,
287 .buffer = {}
288 ,
289 };
290
291 TPML_PCR_SELECTION creationPCR2 = {
292 .count = 0,
293 };
294
295 inPublic2.publicArea.authPolicy = *policyDigestTrial;
296
297 r = Esys_Create(esys_context,
298 primaryHandle,
299 ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
300 &inSensitive2,
301 &inPublic2,
302 &outsideInfo2,
303 &creationPCR2,
304 &outPrivate2,
305 &outPublic2,
306 &creationData2, &creationHash2, &creationTicket2);
307 goto_if_error(r, "Error esys create ", error);
308
309 LOG_INFO("\nSecond key created.");
310
311 r = Esys_Load(esys_context,
312 primaryHandle,
313 ESYS_TR_PASSWORD,
314 ESYS_TR_NONE,
315 ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle);
316 goto_if_error(r, "Error esys load ", error);
317
318 LOG_INFO("\nSecond Key loaded.");
319
320 r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2);
321 goto_if_error(r, "Error esys TR_SetAuth ", error);
322
323 r = Esys_ReadPublic(esys_context,
324 loadedKeyHandle,
325 ESYS_TR_NONE,
326 ESYS_TR_NONE,
327 ESYS_TR_NONE,
328 &keyPublic,
329 &keyName,
330 &keyQualifiedName);
331
332 Esys_Free(keyPublic);
333 Esys_Free(keyName);
334 Esys_Free(keyQualifiedName);
335
336 goto_if_error(r, "Error esys ReadPublic", error);
337
338 TPMT_SYM_DEF policySymmetric = {.algorithm = TPM2_ALG_AES,
339 .keyBits = {.aes = 128},
340 .mode = {.aes = TPM2_ALG_CFB}
341 };
342 TPM2B_NONCE policyNonceCaller = {
343 .size = 20,
344 .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
345 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
346 };
347
348 r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
349 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
350 &policyNonceCaller,
351 TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1,
352 &policySession);
353 goto_if_error(r, "Error: During initialization of policy trial session", error);
354
355
356 r = Esys_PolicyAuthValue(esys_context,
357 policySession,
358 ESYS_TR_NONE,
359 ESYS_TR_NONE,
360 ESYS_TR_NONE
361 );
362 goto_if_error(r, "Error: PolicyAuthValue", error);
363
364 r = Esys_PolicyCommandCode(esys_context,
365 policySession,
366 ESYS_TR_NONE,
367 ESYS_TR_NONE,
368 ESYS_TR_NONE,
369 TPM2_CC_Duplicate
370 );
371 goto_if_error(r, "Error: PolicyCommandCode", error);
372
373 TPM2B_DATA encryptionKey = {0};
374
375 TPMT_SYM_DEF_OBJECT symmetric = {.algorithm = TPM2_ALG_NULL,
376 .keyBits = {.aes = 128},
377 .mode = {.aes = TPM2_ALG_CFB}};
378
379 r = Esys_Duplicate(
380 esys_context,
381 loadedKeyHandle,
382 primaryHandle2,
383 policySession,
384 ESYS_TR_NONE,
385 ESYS_TR_NONE,
386 &encryptionKey,
387 &symmetric,
388 &encryptionKeyOut,
389 &duplicate,
390 &outSymSeed);
391
392 goto_if_error(r, "Error: Duplicate", error);
393 Esys_Free(outPublic);
394
395 r = Esys_ReadPublic(esys_context,
396 loadedKeyHandle,
397 ESYS_TR_NONE,
398 ESYS_TR_NONE,
399 ESYS_TR_NONE,
400 &outPublic,
401 &nameKeySign,
402 &keyQualifiedName);
403 goto_if_error(r, "Error: ReadPublic", error);
404
405 r = Esys_FlushContext(esys_context, loadedKeyHandle);
406 goto_if_error(r, "Flushing context", error);
407
408 loadedKeyHandle = ESYS_TR_NONE;
409
410
411 r = Esys_Import(
412 esys_context,
413 primaryHandle,
414 ESYS_TR_PASSWORD,
415 ESYS_TR_NONE,
416 ESYS_TR_NONE,
417 encryptionKeyOut,
418 outPublic,
419 duplicate,
420 outSymSeed,
421 &symmetric,
422 &outPrivate);
423 goto_if_error(r, "Error: Import", error);
424
425 r = Esys_FlushContext(esys_context, primaryHandle);
426 goto_if_error(r, "Flushing context", error);
427
428 primaryHandle = ESYS_TR_NONE;
429
430 r = Esys_FlushContext(esys_context, primaryHandle2);
431 goto_if_error(r, "Flushing context", error);
432
433 primaryHandle2 = ESYS_TR_NONE;
434
435 r = Esys_FlushContext(esys_context, sessionTrial);
436 goto_if_error(r, "Flushing context", error);
437
438 sessionTrial = ESYS_TR_NONE;
439
440 r = Esys_FlushContext(esys_context, policySession);
441 goto_if_error(r, "Flushing context", error);
442
443 Esys_Free(policyDigestTrial);
444 Esys_Free(outPublic);
445 Esys_Free(creationData);
446 Esys_Free(creationHash);
447 Esys_Free(creationTicket);
448
449 Esys_Free(outPublic2);
450 Esys_Free(outPrivate2);
451 Esys_Free(creationData2);
452 Esys_Free(creationHash2);
453 Esys_Free(creationTicket2);
454
455 Esys_Free(encryptionKeyOut);
456 Esys_Free(duplicate);
457 Esys_Free(outSymSeed);
458
459 Esys_Free(keyQualifiedName);
460
461 Esys_Free(nameKeySign);
462 Esys_Free(outPrivate);
463 return EXIT_SUCCESS;
464
465 error:
466
467 if (policySession != ESYS_TR_NONE) {
468 if (Esys_FlushContext(esys_context, policySession) != TSS2_RC_SUCCESS) {
469 LOG_ERROR("Cleanup policySession failed.");
470 }
471 }
472
473 if (sessionTrial != ESYS_TR_NONE) {
474 if (Esys_FlushContext(esys_context, sessionTrial) != TSS2_RC_SUCCESS) {
475 LOG_ERROR("Cleanup sessionTrial failed.");
476 }
477 }
478 if (loadedKeyHandle != ESYS_TR_NONE) {
479 if (Esys_FlushContext(esys_context, loadedKeyHandle) != TSS2_RC_SUCCESS) {
480 LOG_ERROR("Cleanup loadedKeyHandle failed.");
481 }
482 }
483
484 if (primaryHandle != ESYS_TR_NONE) {
485 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
486 LOG_ERROR("Cleanup primaryHandle failed.");
487 }
488 }
489
490 if (primaryHandle2 != ESYS_TR_NONE) {
491 if (Esys_FlushContext(esys_context, primaryHandle2) != TSS2_RC_SUCCESS) {
492 LOG_ERROR("Cleanup primaryHandle2 failed.");
493 }
494 }
495
496 Esys_Free(policyDigestTrial);
497 Esys_Free(outPublic);
498 Esys_Free(creationData);
499 Esys_Free(creationHash);
500 Esys_Free(creationTicket);
501
502 Esys_Free(outPublic2);
503 Esys_Free(outPrivate2);
504 Esys_Free(creationData2);
505 Esys_Free(creationHash2);
506 Esys_Free(creationTicket2);
507
508 Esys_Free(encryptionKeyOut);
509 Esys_Free(duplicate);
510 Esys_Free(outSymSeed);
511
512 Esys_Free(keyPublic);
513 Esys_Free(keyName);
514 Esys_Free(keyQualifiedName);
515
516 Esys_Free(nameKeySign);
517 Esys_Free(outPrivate);
518 return EXIT_FAILURE;
519 }
520
521 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)522 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
523 return test_esys_import(esys_context);
524 }
525