Google Git
Sign in
fuchsia / third_party / github.com / tpm2-software / tpm2-tss / refs/heads/upstream/3.0.x / . / test / integration / fapi-key-create-policy-authorize-sign.int.c
blob: c59aae1bbeb1c9191c53e5f5f1ca3aecfdeca8f4 [file] [log] [blame]
/* SPDX-License-Identifier: BSD-2-Clause */
/*******************************************************************************
* Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
* All rights reserved.
*******************************************************************************/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include "tss2_fapi.h"
#include "test-fapi.h"
#define LOGMODULE test
#include "util/log.h"
#include "util/aux_util.h"
static bool cb_called = false;
#define OBJECT_PATH "HS/SRK/mySignKey"
#define USER_DATA "my user data"
#define DESCRIPTION "PolicyAuthorize"
static TSS2_RC
branch_callback(
char const *objectPath,
char const *description,
char const **branchNames,
size_t numBranches,
size_t *selectedBranch,
void *userData)
{
(void) description;
(void) userData;
char *profile_path;
ASSERT(description != NULL);
ASSERT(userData != NULL);
ASSERT(branchNames != NULL);
if (!objectPath) {
return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
}
int size = asprintf (&profile_path, "%s/%s", fapi_profile, OBJECT_PATH);
if (size == -1)
return TSS2_FAPI_RC_MEMORY;
ASSERT(strlen(objectPath) == strlen(profile_path));
free(profile_path);
ASSERT(strlen(userData) == strlen((char*)USER_DATA));
ASSERT(strlen(description) == strlen(DESCRIPTION));
if (numBranches != 2) {
LOG_ERROR("Wrong number of branches");
return TSS2_FAPI_RC_GENERAL_FAILURE;
}
if (!strcmp(branchNames[0], "/policy/pol_name_hash"))
*selectedBranch = 0;
else if (!strcmp(branchNames[1], "/policy/pol_name_hash"))
*selectedBranch = 1;
else {
LOG_ERROR("BranchName not found. Got \"%s\" and \"%s\"",
branchNames[0], branchNames[1]);
return TSS2_FAPI_RC_GENERAL_FAILURE;
}
cb_called = true;
return TSS2_RC_SUCCESS;
error:
exit(EXIT_FAILURE);
}
/** Test the FAPI functions for PolicyAuthoirze with signing.
*
* Tested FAPI commands:
* - Fapi_Provision()
* - Fapi_SetBranchCB()
* - Fapi_Import()
* - Fapi_CreateKey()
* - Fapi_AuthorizePolicy()
* - Fapi_Sign()
* - Fapi_List()
* - Fapi_Delete()
*
* Tested Policies:
* - PolicyNameHash
* - PolicyAuthorize
* - PolicyCpHash (Not entered, only as alternative branch)
*
* @param[in,out] context The FAPI_CONTEXT.
* @retval EXIT_FAILURE
* @retval EXIT_SUCCESS
*/
int
test_fapi_key_create_policy_authorize_sign(FAPI_CONTEXT *context)
{
TSS2_RC r;
char *policy_name_hash = "/policy/pol_name_hash";
char *policy_file_name_hash = TOP_SOURCEDIR "/test/data/fapi/policy/pol_name_hash.json";
/* This policy cannot succeed, but that's the intention. We authorize it but then choose
the other policy from branch selection. */
char *policy_cphash = "/policy/pol_cphash";
char *policy_file_cphash = TOP_SOURCEDIR "/test/data/fapi/policy/pol_cphash.json";
char *policy_name_authorize = "/policy/pol_authorize";
char *policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize.json";
char *policy_name_authorize_outer = "/policy/pol_authorize_outer";
char *policy_file_authorize_outer = TOP_SOURCEDIR
"/test/data/fapi/policy/pol_authorize_outer.json";
uint8_t policyRef[] = { 1, 2, 3, 4, 5 };
FILE *stream = NULL;
char *json_policy = NULL;
long policy_size;
uint8_t *signature = NULL;
char *publicKey = NULL;
char *certificate = NULL;
char *pathList = NULL;
r = Fapi_Provision(context, NULL, NULL, NULL);
goto_if_error(r, "Error Fapi_Provision", error);
r = pcr_reset(context, 16);
goto_if_error(r, "Error pcr_reset", error);
r = Fapi_SetBranchCB(context, branch_callback, USER_DATA);
goto_if_error(r, "Error SetPolicybranchselectioncallback", error);
/* Read in the first policy */
stream = fopen(policy_file_name_hash, "r");
if (!stream) {
LOG_ERROR("File %s does not exist", policy_file_name_hash);
goto error;
}
fseek(stream, 0L, SEEK_END);
policy_size = ftell(stream);
fclose(stream);
json_policy = malloc(policy_size + 1);
goto_if_null(json_policy,
"Could not allocate memory for the JSON policy",
TSS2_FAPI_RC_MEMORY, error);
stream = fopen(policy_file_name_hash, "r");
ssize_t ret = read(fileno(stream), json_policy, policy_size);
if (ret != policy_size) {
LOG_ERROR("IO error %s.", policy_file_name_hash);
goto error;
}
json_policy[policy_size] = '\0';
r = Fapi_Import(context, policy_name_hash, json_policy);
SAFE_FREE(json_policy);
goto_if_error(r, "Error Fapi_List", error);
/* Read in the second policy */
stream = fopen(policy_file_cphash, "r");
if (!stream) {
LOG_ERROR("File %s does not exist", policy_file_name_hash);
goto error;
}
fseek(stream, 0L, SEEK_END);
policy_size = ftell(stream);
fclose(stream);
json_policy = malloc(policy_size + 1);
goto_if_null(json_policy,
"Could not allocate memory for the JSON policy",
TSS2_FAPI_RC_MEMORY, error);
stream = fopen(policy_file_cphash, "r");
ret = read(fileno(stream), json_policy, policy_size);
if (ret != policy_size) {
LOG_ERROR("IO error %s.", policy_file_name_hash);
goto error;
}
json_policy[policy_size] = '\0';
r = Fapi_Import(context, policy_cphash, json_policy);
SAFE_FREE(json_policy);
goto_if_error(r, "Error Fapi_List", error);
/* Read in the third policy */
stream = fopen(policy_file_authorize, "r");
if (!stream) {
LOG_ERROR("File %s does not exist", policy_file_authorize);
goto error;
}
fseek(stream, 0L, SEEK_END);
policy_size = ftell(stream);
fclose(stream);
json_policy = malloc(policy_size + 1);
goto_if_null(json_policy,
"Could not allocate memory for the JSON policy",
TSS2_FAPI_RC_MEMORY, error);
stream = fopen(policy_file_authorize, "r");
ret = read(fileno(stream), json_policy, policy_size);
if (ret != policy_size) {
LOG_ERROR("IO error %s.", policy_file_authorize);
goto error;
}
json_policy[policy_size] = '\0';
r = Fapi_Import(context, policy_name_authorize, json_policy);
SAFE_FREE(json_policy);
goto_if_error(r, "Error Fapi_Import", error);
/* Read in the fourth policy */
stream = fopen(policy_file_authorize_outer, "r");
if (!stream) {
LOG_ERROR("File %s does not exist", policy_file_authorize_outer);
goto error;
}
fseek(stream, 0L, SEEK_END);
policy_size = ftell(stream);
fclose(stream);
json_policy = malloc(policy_size + 1);
goto_if_null(json_policy,
"Could not allocate memory for the JSON policy",
TSS2_FAPI_RC_MEMORY, error);
stream = fopen(policy_file_authorize_outer, "r");
ret = read(fileno(stream), json_policy, policy_size);
if (ret != policy_size) {
LOG_ERROR("IO error %s.", policy_file_authorize_outer);
goto error;
}
json_policy[policy_size] = '\0';
r = Fapi_Import(context, policy_name_authorize_outer, json_policy);
SAFE_FREE(json_policy);
goto_if_error(r, "Error Fapi_Import", error);
/* Create keys and use them to authorize the authorize policy */
r = Fapi_CreateKey(context, "HS/SRK/myPolicySignKeyOuter", "sign,noDa",
"", NULL);
goto_if_error(r, "Error Fapi_CreateKey", error);
/* Create keys and use them to authorize policies */
r = Fapi_CreateKey(context, "HS/SRK/myPolicySignKey", "sign,noDa",
"", NULL);
goto_if_error(r, "Error Fapi_CreateKey", error);
/* Create the actual key */
r = Fapi_CreateKey(context, OBJECT_PATH, "sign, noda",
policy_name_authorize_outer, NULL);
goto_if_error(r, "Error Fapi_CreateKey", error);
/* Authorize the policies in sequence. */
r = Fapi_AuthorizePolicy(context, policy_name_authorize,
"HS/SRK/myPolicySignKeyOuter", NULL, 0);
goto_if_error(r, "Authorize policy", error);
r = Fapi_AuthorizePolicy(context, policy_name_hash,
"HS/SRK/myPolicySignKey", policyRef, sizeof(policyRef));
goto_if_error(r, "Authorize policy", error);
r = Fapi_AuthorizePolicy(context, policy_cphash,
"HS/SRK/myPolicySignKey", policyRef, sizeof(policyRef));
goto_if_error(r, "Authorize policy", error);
/* The policy is authorized twice with idfferent keys in order to test the code that
stores multiple authorizations inside the policy statements. */
r = Fapi_CreateKey(context, "HS/SRK/myPolicySignKey2", "sign,noDa",
"", NULL);
goto_if_error(r, "Error Fapi_CreateKey", error);
r = Fapi_SetCertificate(context, OBJECT_PATH, "-----BEGIN "\
"CERTIFICATE-----[...]-----END CERTIFICATE-----");
goto_if_error(r, "Error Fapi_CreateKey", error);
/* Use the key */
size_t signatureSize = 0;
TPM2B_DIGEST digest = {
.size = 32,
.buffer = {
0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f,
0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f,
0x41, 0x42
}
};
r = Fapi_Sign(context, OBJECT_PATH, NULL,
&digest.buffer[0], digest.size, &signature, &signatureSize,
&publicKey, &certificate);
goto_if_error(r, "Error Fapi_Sign", error);
ASSERT(signature != NULL);
ASSERT(publicKey != NULL);
ASSERT(certificate != NULL);
LOG_INFO("Public key: %s", publicKey);
ASSERT(strstr(publicKey, "BEGIN PUBLIC KEY"));
LOG_INFO("Certificate: %s", certificate);
ASSERT(strstr(certificate, "BEGIN CERTIFICATE"));
r = Fapi_List(context, "/", &pathList);
goto_if_error(r, "Error Fapi_List", error);
ASSERT(pathList != NULL);
LOG_INFO("Pathlist: %s", pathList);
char *check_pathList1 =
"/" FAPI_PROFILE "/HS/SRK:/" FAPI_PROFILE "/HS:/" FAPI_PROFILE "/LOCKOUT:/"
FAPI_PROFILE "/HE/EK:/" FAPI_PROFILE "/HE:/" FAPI_PROFILE "/HN:/policy/pol_name_hash:"
"/policy/pol_cphash:/policy/pol_authorize_outer:/policy/pol_authorize:/" FAPI_PROFILE
"/HS/SRK/myPolicySignKey2:/" FAPI_PROFILE "/HS/SRK/myPolicySignKey:/" FAPI_PROFILE
"/HS/SRK/mySignKey:/" FAPI_PROFILE "/HS/SRK/myPolicySignKeyOuter";
ASSERT(cmp_strtokens(pathList, check_pathList1, ":"));
SAFE_FREE(pathList);
pathList = NULL;
r = Fapi_List(context, "/SRK/", &pathList);
goto_if_error(r, "Error Fapi_List", error);
ASSERT(pathList != NULL);
LOG_INFO("Pathlist: %s", pathList);
char *check_pathList2 =
"/" FAPI_PROFILE "/HS/SRK:/" FAPI_PROFILE "/HS/SRK/myPolicySignKey2:/" FAPI_PROFILE
"/HS/SRK/myPolicySignKey:/" FAPI_PROFILE "/HS/SRK/mySignKey:/" FAPI_PROFILE
"/HS/SRK/myPolicySignKeyOuter";
ASSERT(cmp_strtokens(pathList, check_pathList2, ":"));
SAFE_FREE(pathList);
pathList = NULL;
r = Fapi_List(context, "/HS/", &pathList);
goto_if_error(r, "Error Fapi_List", error);
ASSERT(pathList != NULL);
LOG_INFO("Pathlist: %s", pathList);
char *check_pathList3 =
"/" FAPI_PROFILE "/HS/SRK:/" FAPI_PROFILE "/HS:/" FAPI_PROFILE"/HS/SRK/myPolicySignKey2:/"
FAPI_PROFILE "/HS/SRK/myPolicySignKey:/" FAPI_PROFILE "/HS/SRK/mySignKey:/" FAPI_PROFILE
"/HS/SRK/myPolicySignKeyOuter";
ASSERT(cmp_strtokens(pathList, check_pathList3, ":"));
SAFE_FREE(pathList);
LOG_WARNING("Next is a failure-test, and we expect errors in the log");
pathList = NULL;
r = Fapi_List(context, "XXX", &pathList);
if (r == TSS2_RC_SUCCESS) {
LOG_ERROR("Path XXX was found");
goto error;
}
ASSERT(pathList == NULL);
SAFE_FREE(pathList);
pathList = NULL;
r = Fapi_List(context, "/policy/", &pathList);
goto_if_error(r, "Error Fapi_List", error);
ASSERT(pathList != NULL);
ASSERT(strlen(pathList) > ASSERT_SIZE);
LOG_INFO("Pathlist: %s", pathList);
char *check_pathList4 =
"/policy/pol_name_hash:/policy/pol_cphash:/policy/pol_authorize_outer:/policy/pol_authorize";
ASSERT(cmp_strtokens(pathList, check_pathList4, ":"));
SAFE_FREE(pathList);
/* Cleanup */
r = Fapi_Delete(context, "/");
goto_if_error(r, "Error Fapi_Delete", error);
SAFE_FREE(signature);
SAFE_FREE(publicKey);
SAFE_FREE(certificate);
if (!cb_called) {
LOG_ERROR("Branch selection callback was not called.");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
error:
Fapi_Delete(context, "/");
SAFE_FREE(json_policy);
SAFE_FREE(signature);
SAFE_FREE(publicKey);
SAFE_FREE(certificate);
SAFE_FREE(pathList);
Fapi_Delete(context, "/");
return EXIT_FAILURE;
}
int
test_invoke_fapi(FAPI_CONTEXT *fapi_context)
{
return test_fapi_key_create_policy_authorize_sign(fapi_context);
}