test/integration/fapi-key-create-sign-password-provision.int.c - third_party/github.com/tpm2-software/tpm2-tss - Git at Google

 /* SPDX-License-Identifier: BSD-2-Clause */
 /*******************************************************************************
  * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
  * All rights reserved.
  *******************************************************************************/

 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif

 #include <stdlib.h>
 #include <string.h>

 #include "tss2_fapi.h"

 #include "test-fapi.h"
 #include "fapi_util.h"
 #include "fapi_int.h"

 #include "esys_iutil.h"
 #define LOGMODULE test
 #include "util/log.h"
 #include "util/aux_util.h"

 #define PASSWORD "abc"
 #define SIGN_TEMPLATE "sign,noDa"

 static TSS2_RC
 auth_callback(
     char const *objectPath,
     char const *description,
     const char **auth,
     void *userData)
 {
     (void)description;
     (void)userData;

     if (!objectPath) {
         return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
     }

     char *pw = PASSWORD;
     if (!pw)
         return TSS2_FAPI_RC_GENERAL_FAILURE;

     *auth = pw;
     return TSS2_RC_SUCCESS;
 }

 /** Test the FAPI functions for key creation and usage with an SH password.
  *
  * Tested FAPI commands:
  *  - Fapi_Provision()
  *  - Fapi_SetAuthCB()
  *  - Fapi_CreateKey()
  *  - Fapi_GetTpmBlobs()
  *  - Fapi_Sign()
  *  - Fapi_SetCertificate()
  *  - Fapi_List()
  *  - Fapi_ChangeAuth()
  *  - Fapi_Delete()
  *
  * @param[in,out] context The FAPI_CONTEXT.
  * @retval EXIT_FAILURE
  * @retval EXIT_SUCCESS
  */
 int
 test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context)
 {
     TSS2_RC r;
     char *sigscheme = NULL;
     uint8_t       *publicblob = NULL;
     uint8_t       *privateblob = NULL;
     char          *policy = NULL;
     uint8_t *signature = NULL;
     char    *publicKey = NULL;
     char    *certificate = NULL;
     char *path_list = NULL;
     char *policy_name = "/policy/pol_pcr16_0";
     char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0.json";
     FILE *stream = NULL;
     char *json_policy = NULL;
     long policy_size;

     size_t         publicsize;
     size_t         privatesize;

     const char *cert =
         "-----BEGIN CERTIFICATE-----\n"
         "MIIDBjCCAe4CCQDcvXBOEVM0UTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE\n"
         "RTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n"
         "cyBQdHkgTHRkMB4XDTE5MDIyODEwNDkyM1oXDTM1MDgyNzEwNDkyM1owRTELMAkG\n"
         "A1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\n"
         "IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
         "AKBi+iKwkgM55iCMwXrLCJlu7TzlMu/LlkyGrm99ip2B5+/Cl6a62d8pKelg6zkH\n"
         "jI7+AAPteJiW4O+2qVWF8hJ5BXTjGtYbM0iZ6enCb8eyC54C7xVMc21ZIv3ob4Et\n"
         "50ZOuzY2pfpzE3vIaXt1CkHlfyI/hdK+mM/dVvuCz5p3AIlHrEWS3rSNgWbCsB2E\n"
         "TM55qSGKaLmtTbUvEKRF0TJrFLntfXkv10QD5pgn52+QV9k59OogqZOsDvkXzKPX\n"
         "rXF+XC0gLiGBEGAr1dv9F03xMOtO77bQTdGOeC61Tip6Nb0V3ebMckZXwdFi+Nhe\n"
         "FRuU33CaObtV6u5PZvSue/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcamUPe8I\n"
         "nMOHcv9x5lVN1joihVRmKc0QqNLFc6XpJY8+U5rGkZvOcDe9Da8L97wDNXpKmU/q\n"
         "pprj3rT8l3v0Z5xs8Vdr8lxS6T5NhqQV0UCsn1x14gZJcE48y9/LazYi6Zcar+BX\n"
         "Am4vewAV3HmQ8X2EctsRhXe4wlAq4slIfEWaaofa8ai7BzO9KwpMLsGPWoNetkB9\n"
         "19+SFt0lFFOj/6vDw5pCpSd1nQlo1ug69mJYSX/wcGkV4t4LfGhV8jRPDsGs6I5n\n"
         "ETHSN5KV1XCPYJmRCjFY7sIt1x4zN7JJRO9DVw+YheIlduVfkBiF+GlQgLlFTjrJ\n"
         "VrpSGMIFSu301A==\n"
         "-----END CERTIFICATE-----\n";

     if (strcmp("P_ECC", fapi_profile) != 0)
         sigscheme = "RSA_PSS";

     /* We need to reset the passwords again, in order to not brick physical TPMs */
     r = Fapi_Provision(context, NULL, PASSWORD, NULL);
     goto_if_error(r, "Error Fapi_Provision", error);

     r = pcr_reset(context, 16);
     goto_if_error(r, "Error pcr_reset", error);

     r = Fapi_SetAuthCB(context, auth_callback, NULL);
     goto_if_error(r, "Error SetPolicyAuthCallback", error);

     stream = fopen(policy_file, "r");
     if (!stream) {
         LOG_ERROR("File %s does not exist", policy_file);
         goto error;
     }
     fseek(stream, 0L, SEEK_END);
     policy_size = ftell(stream);
     fclose(stream);
     json_policy = malloc(policy_size + 1);
     goto_if_null(json_policy,
             "Could not allocate memory for the JSON policy",
             TSS2_FAPI_RC_MEMORY, error);
     stream = fopen(policy_file, "r");
     ssize_t ret = read(fileno(stream), json_policy, policy_size);
     if (ret != policy_size) {
         LOG_ERROR("IO error %s.", policy_file);
         goto error;
     }
     json_policy[policy_size] = '\0';

     r = Fapi_Import(context, policy_name, json_policy);
     goto_if_error(r, "Error Fapi_Import", error);

     r = Fapi_CreateKey(context, "HS/SRK/mySignKey", SIGN_TEMPLATE, policy_name,
                        PASSWORD);

     goto_if_error(r, "Error Fapi_CreateKey", error);
     size_t signatureSize = 0;

     TPM2B_DIGEST digest = {
         .size = 20,
         .buffer = {
             0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
             0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
         }
     };

     r = Fapi_GetTpmBlobs(context,  "HS/SRK/mySignKey", &publicblob,
                          &publicsize,
                          &privateblob, &privatesize, &policy);
     goto_if_error(r, "Error Fapi_GetTpmBlobs", error);
     ASSERT(publicblob != NULL);
     ASSERT(privateblob != NULL);
     ASSERT(policy != NULL);
     ASSERT(strlen(policy) > ASSERT_SIZE);

     r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", cert);
     goto_if_error(r, "Error Fapi_SetCertificate", error);

     r = Fapi_Sign(context, "HS/SRK/mySignKey", sigscheme,
                   &digest.buffer[0], digest.size, &signature, &signatureSize,
                   &publicKey, &certificate);
     goto_if_error(r, "Error Fapi_Sign", error);
     ASSERT(signature != NULL);
     ASSERT(publicKey != NULL);
     ASSERT(certificate != NULL);
     LOG_INFO("Public key: %s", publicKey);
     ASSERT(strstr(publicKey, "BEGIN PUBLIC KEY"));
     LOG_INFO("Certificate: %s", certificate);
     ASSERT(strstr(certificate, "BEGIN CERTIFICATE"));

     r = Fapi_List(context, "/", &path_list);
     goto_if_error(r, "Error Fapi_Delete", error);
     ASSERT(path_list != NULL);
     ASSERT(strlen(path_list) > ASSERT_SIZE);

     fprintf(stderr, "\nPathList:\n%s\n", path_list);

     /* We need to reset the passwords again, in order to not brick physical TPMs */
     r = Fapi_ChangeAuth(context, "/HS", NULL);
     goto_if_error(r, "Error Fapi_ChangeAuth", error);

     r = Fapi_Delete(context, "/");
     goto_if_error(r, "Error Fapi_Delete", error);

     SAFE_FREE(publicblob);
     SAFE_FREE(privateblob);
     SAFE_FREE(policy);
     SAFE_FREE(signature);
     SAFE_FREE(publicKey);
     SAFE_FREE(certificate);
     SAFE_FREE(path_list);
     SAFE_FREE(json_policy);
     return EXIT_SUCCESS;

 error:
     Fapi_Delete(context, "/");
     SAFE_FREE(publicblob);
     SAFE_FREE(privateblob);
     SAFE_FREE(policy);
     SAFE_FREE(signature);
     SAFE_FREE(publicKey);
     SAFE_FREE(certificate);
     SAFE_FREE(path_list);
     SAFE_FREE(json_policy);
     return EXIT_FAILURE;
 }

 int
 test_invoke_fapi(FAPI_CONTEXT *fapi_context)
 {
     return test_fapi_key_create_sign_password_provision(fapi_context);
 }
	/* SPDX-License-Identifier: BSD-2-Clause */
	/*******************************************************************************
	* Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
	* All rights reserved.
	*******************************************************************************/

	#ifdef HAVE_CONFIG_H
	#include <config.h>
	#endif

	#include <stdlib.h>
	#include <string.h>

	#include "tss2_fapi.h"

	#include "test-fapi.h"
	#include "fapi_util.h"
	#include "fapi_int.h"

	#include "esys_iutil.h"
	#define LOGMODULE test
	#include "util/log.h"
	#include "util/aux_util.h"

	#define PASSWORD "abc"
	#define SIGN_TEMPLATE "sign,noDa"

	static TSS2_RC
	auth_callback(
	char const *objectPath,
	char const *description,
	const char **auth,
	void *userData)
	{
	(void)description;
	(void)userData;

	if (!objectPath) {
	return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
	}

	char *pw = PASSWORD;
	if (!pw)
	return TSS2_FAPI_RC_GENERAL_FAILURE;

	*auth = pw;
	return TSS2_RC_SUCCESS;
	}

	/** Test the FAPI functions for key creation and usage with an SH password.
	*
	* Tested FAPI commands:
	* - Fapi_Provision()
	* - Fapi_SetAuthCB()
	* - Fapi_CreateKey()
	* - Fapi_GetTpmBlobs()
	* - Fapi_Sign()
	* - Fapi_SetCertificate()
	* - Fapi_List()
	* - Fapi_ChangeAuth()
	* - Fapi_Delete()
	*
	* @param[in,out] context The FAPI_CONTEXT.
	* @retval EXIT_FAILURE
	* @retval EXIT_SUCCESS
	*/
	int
	test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context)
	{
	TSS2_RC r;
	char *sigscheme = NULL;
	uint8_t *publicblob = NULL;
	uint8_t *privateblob = NULL;
	char *policy = NULL;
	uint8_t *signature = NULL;
	char *publicKey = NULL;
	char *certificate = NULL;
	char *path_list = NULL;
	char *policy_name = "/policy/pol_pcr16_0";
	char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0.json";
	FILE *stream = NULL;
	char *json_policy = NULL;
	long policy_size;

	size_t publicsize;
	size_t privatesize;

	const char *cert =
	"-----BEGIN CERTIFICATE-----\n"
	"MIIDBjCCAe4CCQDcvXBOEVM0UTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE\n"
	"RTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n"
	"cyBQdHkgTHRkMB4XDTE5MDIyODEwNDkyM1oXDTM1MDgyNzEwNDkyM1owRTELMAkG\n"
	"A1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\n"
	"IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
	"AKBi+iKwkgM55iCMwXrLCJlu7TzlMu/LlkyGrm99ip2B5+/Cl6a62d8pKelg6zkH\n"
	"jI7+AAPteJiW4O+2qVWF8hJ5BXTjGtYbM0iZ6enCb8eyC54C7xVMc21ZIv3ob4Et\n"
	"50ZOuzY2pfpzE3vIaXt1CkHlfyI/hdK+mM/dVvuCz5p3AIlHrEWS3rSNgWbCsB2E\n"
	"TM55qSGKaLmtTbUvEKRF0TJrFLntfXkv10QD5pgn52+QV9k59OogqZOsDvkXzKPX\n"
	"rXF+XC0gLiGBEGAr1dv9F03xMOtO77bQTdGOeC61Tip6Nb0V3ebMckZXwdFi+Nhe\n"
	"FRuU33CaObtV6u5PZvSue/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcamUPe8I\n"
	"nMOHcv9x5lVN1joihVRmKc0QqNLFc6XpJY8+U5rGkZvOcDe9Da8L97wDNXpKmU/q\n"
	"pprj3rT8l3v0Z5xs8Vdr8lxS6T5NhqQV0UCsn1x14gZJcE48y9/LazYi6Zcar+BX\n"
	"Am4vewAV3HmQ8X2EctsRhXe4wlAq4slIfEWaaofa8ai7BzO9KwpMLsGPWoNetkB9\n"
	"19+SFt0lFFOj/6vDw5pCpSd1nQlo1ug69mJYSX/wcGkV4t4LfGhV8jRPDsGs6I5n\n"
	"ETHSN5KV1XCPYJmRCjFY7sIt1x4zN7JJRO9DVw+YheIlduVfkBiF+GlQgLlFTjrJ\n"
	"VrpSGMIFSu301A==\n"
	"-----END CERTIFICATE-----\n";

	if (strcmp("P_ECC", fapi_profile) != 0)
	sigscheme = "RSA_PSS";

	/* We need to reset the passwords again, in order to not brick physical TPMs */
	r = Fapi_Provision(context, NULL, PASSWORD, NULL);
	goto_if_error(r, "Error Fapi_Provision", error);

	r = pcr_reset(context, 16);
	goto_if_error(r, "Error pcr_reset", error);

	r = Fapi_SetAuthCB(context, auth_callback, NULL);
	goto_if_error(r, "Error SetPolicyAuthCallback", error);

	stream = fopen(policy_file, "r");
	if (!stream) {
	LOG_ERROR("File %s does not exist", policy_file);
	goto error;
	}
	fseek(stream, 0L, SEEK_END);
	policy_size = ftell(stream);
	fclose(stream);
	json_policy = malloc(policy_size + 1);
	goto_if_null(json_policy,
	"Could not allocate memory for the JSON policy",
	TSS2_FAPI_RC_MEMORY, error);
	stream = fopen(policy_file, "r");
	ssize_t ret = read(fileno(stream), json_policy, policy_size);
	if (ret != policy_size) {
	LOG_ERROR("IO error %s.", policy_file);
	goto error;
	}
	json_policy[policy_size] = '\0';

	r = Fapi_Import(context, policy_name, json_policy);
	goto_if_error(r, "Error Fapi_Import", error);

	r = Fapi_CreateKey(context, "HS/SRK/mySignKey", SIGN_TEMPLATE, policy_name,
	PASSWORD);

	goto_if_error(r, "Error Fapi_CreateKey", error);
	size_t signatureSize = 0;

	TPM2B_DIGEST digest = {
	.size = 20,
	.buffer = {
	0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
	0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
	}
	};

	r = Fapi_GetTpmBlobs(context, "HS/SRK/mySignKey", &publicblob,
	&publicsize,
	&privateblob, &privatesize, &policy);
	goto_if_error(r, "Error Fapi_GetTpmBlobs", error);
	ASSERT(publicblob != NULL);
	ASSERT(privateblob != NULL);
	ASSERT(policy != NULL);
	ASSERT(strlen(policy) > ASSERT_SIZE);

	r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", cert);
	goto_if_error(r, "Error Fapi_SetCertificate", error);

	r = Fapi_Sign(context, "HS/SRK/mySignKey", sigscheme,
	&digest.buffer[0], digest.size, &signature, &signatureSize,
	&publicKey, &certificate);
	goto_if_error(r, "Error Fapi_Sign", error);
	ASSERT(signature != NULL);
	ASSERT(publicKey != NULL);
	ASSERT(certificate != NULL);
	LOG_INFO("Public key: %s", publicKey);
	ASSERT(strstr(publicKey, "BEGIN PUBLIC KEY"));
	LOG_INFO("Certificate: %s", certificate);
	ASSERT(strstr(certificate, "BEGIN CERTIFICATE"));

	r = Fapi_List(context, "/", &path_list);
	goto_if_error(r, "Error Fapi_Delete", error);
	ASSERT(path_list != NULL);
	ASSERT(strlen(path_list) > ASSERT_SIZE);

	fprintf(stderr, "\nPathList:\n%s\n", path_list);

	/* We need to reset the passwords again, in order to not brick physical TPMs */
	r = Fapi_ChangeAuth(context, "/HS", NULL);
	goto_if_error(r, "Error Fapi_ChangeAuth", error);

	r = Fapi_Delete(context, "/");
	goto_if_error(r, "Error Fapi_Delete", error);

	SAFE_FREE(publicblob);
	SAFE_FREE(privateblob);
	SAFE_FREE(policy);
	SAFE_FREE(signature);
	SAFE_FREE(publicKey);
	SAFE_FREE(certificate);
	SAFE_FREE(path_list);
	SAFE_FREE(json_policy);
	return EXIT_SUCCESS;

	error:
	Fapi_Delete(context, "/");
	SAFE_FREE(publicblob);
	SAFE_FREE(privateblob);
	SAFE_FREE(policy);
	SAFE_FREE(signature);
	SAFE_FREE(publicKey);
	SAFE_FREE(certificate);
	SAFE_FREE(path_list);
	SAFE_FREE(json_policy);
	return EXIT_FAILURE;
	}

	int
	test_invoke_fapi(FAPI_CONTEXT *fapi_context)
	{
	return test_fapi_key_create_sign_password_provision(fapi_context);
	}