1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12
13 #include "tss2_esys.h"
14 #include "tss2_mu.h"
15
16 #include "esys_iutil.h"
17 #define LOGMODULE test
18 #include "util/log.h"
19 #include "util/aux_util.h"
20
21 /** This test is intended to test the ESAPI signing and signature verification.
22 *
23 * Tested ESAPI commands:
24 * - Esys_CreatePrimary() (M)
25 * - Esys_FlushContext() (M)
26 * - Esys_ReadPublic() (M)
27 * - Esys_Sign() (M)
28 * - Esys_VerifySignature() (M)
29 *
30 * @param[in,out] esys_context The ESYS_CONTEXT.
31 * @retval EXIT_FAILURE
32 * @retval EXIT_SUCCESS
33 */
34
35 int
test_esys_verify_signature(ESYS_CONTEXT * esys_context)36 test_esys_verify_signature(ESYS_CONTEXT * esys_context)
37 {
38 TSS2_RC r;
39 ESYS_TR primaryHandle = ESYS_TR_NONE;
40
41 TPM2B_PUBLIC *outPublic = NULL;
42 TPM2B_CREATION_DATA *creationData = NULL;
43 TPM2B_DIGEST *creationHash = NULL;
44 TPMT_TK_CREATION *creationTicket = NULL;
45
46 TPM2B_NAME *nameKeySign = NULL;
47 TPM2B_NAME *keyQualifiedName = NULL;
48 TPMT_SIGNATURE *signature = NULL;
49
50 TPMT_TK_VERIFIED *validation = NULL;
51
52 /*
53 * 1. Create Primary. This primary will be used as signing key.
54 */
55
56 TPM2B_AUTH authValuePrimary = {
57 .size = 5,
58 .buffer = {1, 2, 3, 4, 5}
59 };
60
61 TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
62 .size = 0,
63 .sensitive = {
64 .userAuth = authValuePrimary,
65 .data = {
66 .size = 0,
67 .buffer = {0},
68 },
69 },
70 };
71
72 TPM2B_PUBLIC inPublic = {
73 .size = 0,
74 .publicArea = {
75 .type = TPM2_ALG_RSA,
76 .nameAlg = TPM2_ALG_SHA1,
77 .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
78 TPMA_OBJECT_SIGN_ENCRYPT |
79 TPMA_OBJECT_FIXEDTPM |
80 TPMA_OBJECT_FIXEDPARENT |
81 TPMA_OBJECT_SENSITIVEDATAORIGIN),
82 .authPolicy = {
83 .size = 0,
84 },
85 .parameters.rsaDetail = {
86 .symmetric = {
87 .algorithm = TPM2_ALG_NULL,
88 .keyBits.aes = 128,
89 .mode.aes = TPM2_ALG_CFB},
90 .scheme = {
91 .scheme = TPM2_ALG_RSAPSS,
92 .details = {
93 .rsapss = { .hashAlg = TPM2_ALG_SHA1 }
94 }
95 },
96 .keyBits = 2048,
97 .exponent = 0,
98 },
99 .unique.rsa = {
100 .size = 0,
101 .buffer = {},
102 },
103 },
104 };
105 LOG_INFO("\nRSA key will be created.");
106
107 TPM2B_DATA outsideInfo = {
108 .size = 0,
109 .buffer = {},
110 };
111
112 TPML_PCR_SELECTION creationPCR = {
113 .count = 0,
114 };
115
116 TPM2B_AUTH authValue = {
117 .size = 0,
118 .buffer = {}
119 };
120
121 r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
122 goto_if_error(r, "Error: TR_SetAuth", error);
123
124 r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
125 ESYS_TR_NONE, ESYS_TR_NONE,
126 &inSensitivePrimary, &inPublic,
127 &outsideInfo, &creationPCR, &primaryHandle,
128 &outPublic, &creationData, &creationHash,
129 &creationTicket);
130 goto_if_error(r, "Error esys create primary", error);
131 Esys_Free(outPublic);
132 Esys_Free(creationData);
133 Esys_Free(creationHash);
134 Esys_Free(creationTicket);
135
136 r = Esys_ReadPublic(esys_context,
137 primaryHandle,
138 ESYS_TR_NONE,
139 ESYS_TR_NONE,
140 ESYS_TR_NONE,
141 &outPublic,
142 &nameKeySign,
143 &keyQualifiedName);
144 goto_if_error(r, "Error: ReadPublic", error);
145
146
147 TPMT_SIG_SCHEME inScheme = { .scheme = TPM2_ALG_NULL };
148 TPMT_TK_HASHCHECK hash_validation = {
149 .tag = TPM2_ST_HASHCHECK,
150 .hierarchy = TPM2_RH_OWNER,
151 .digest = {0}
152 };
153 /* SHA1 digest for PCR register with zeros */
154 TPM2B_DIGEST pcr_digest_zero = {
155 .size = 20,
156 .buffer = { 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
157 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f }
158 };
159
160 /*
161 * 1. Sign pcr_digest_zero and verfiy the signature.
162 */
163
164 r = Esys_Sign(
165 esys_context,
166 primaryHandle,
167 ESYS_TR_PASSWORD,
168 ESYS_TR_NONE,
169 ESYS_TR_NONE,
170 &pcr_digest_zero,
171 &inScheme,
172 &hash_validation,
173 &signature);
174 goto_if_error(r, "Error: Sign", error);
175
176 r = Esys_VerifySignature(
177 esys_context,
178 primaryHandle,
179 ESYS_TR_NONE,
180 ESYS_TR_NONE,
181 ESYS_TR_NONE,
182 &pcr_digest_zero,
183 signature,
184 &validation);
185 goto_if_error(r, "Error: Sign", error);
186
187 r = Esys_FlushContext(esys_context, primaryHandle);
188 goto_if_error(r, "Error: FlushContext", error);
189
190 Esys_Free(outPublic);
191
192 Esys_Free(nameKeySign);
193 Esys_Free(keyQualifiedName);
194 Esys_Free(signature);
195 Esys_Free(validation);
196 return EXIT_SUCCESS;
197
198 error:
199
200 if (primaryHandle != ESYS_TR_NONE) {
201 if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
202 LOG_ERROR("Cleanup primaryHandle failed.");
203 }
204 }
205
206 Esys_Free(outPublic);
207 Esys_Free(creationData);
208 Esys_Free(creationHash);
209 Esys_Free(creationTicket);
210
211 Esys_Free(nameKeySign);
212 Esys_Free(keyQualifiedName);
213 Esys_Free(signature);
214 Esys_Free(validation);
215 return EXIT_FAILURE;
216 }
217
218 int
test_invoke_esapi(ESYS_CONTEXT * esys_context)219 test_invoke_esapi(ESYS_CONTEXT * esys_context) {
220 return test_esys_verify_signature(esys_context);
221 }
222