Tests/esapi: Add Import
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
diff --git a/Makefile-test.am b/Makefile-test.am
index 033e3d4..b76f8e9 100644
--- a/Makefile-test.am
+++ b/Makefile-test.am
@@ -143,6 +143,7 @@
test/integration/esys-hierarchy-control.int \
test/integration/esys-hmacsequencestart.int \
test/integration/esys-hmacsequencestart-session.int \
+ test/integration/esys-import.int \
test/integration/esys-make-credential.int \
test/integration/esys-make-credential-session.int \
test/integration/esys-nv-ram-counter.int \
@@ -614,6 +615,13 @@
test/integration/esys-hierarchychangeauth.int.c \
test/integration/main-esapi.c test/integration/test-esapi.h
+test_integration_esys_import_int_CFLAGS = $(TESTS_CFLAGS)
+test_integration_esys_import_int_LDADD = $(TESTS_LDADD)
+test_integration_esys_import_int_LDFLAGS = $(TESTS_LDFLAGS) -lgcrypt
+test_integration_esys_import_int_SOURCES = \
+ test/integration/esys-import.int.c \
+ test/integration/main-esapi.c test/integration/test-esapi.h
+
test_integration_esys_make_credential_int_CFLAGS = $(TESTS_CFLAGS)
test_integration_esys_make_credential_int_LDADD = $(TESTS_LDADD)
test_integration_esys_make_credential_int_LDFLAGS = $(TESTS_LDFLAGS) -lgcrypt
diff --git a/test/integration/esys-import.int.c b/test/integration/esys-import.int.c
new file mode 100644
index 0000000..cef17d3
--- /dev/null
+++ b/test/integration/esys-import.int.c
@@ -0,0 +1,421 @@
+/*******************************************************************************
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ *******************************************************************************/
+
+#include "tss2_esys.h"
+#include "tss2_mu.h"
+
+#include "esys_iutil.h"
+#define LOGMODULE test
+#include "util/log.h"
+
+/*
+ * This test is intended to test the ESAPI commands Duplicate and Import.
+ * We start by creating a primary key (Esys_CreatePrimary).
+ * This primary key will be used as parent key for the Duplicate
+ * command. A second primary key will be the parent key of the
+ * duplicated key. In the last step the key is imported with the
+ * first primary key as parent key (Esys_Import).
+ */
+
+int
+test_invoke_esapi(ESYS_CONTEXT * esys_context)
+{
+ uint32_t r = 0;
+
+ /*
+ * Firth the policy value to be able to use Esys_Duplicate for an object has to be
+ * determined with a policy trial session.
+ */
+ ESYS_TR sessionTrial;
+ TPMT_SYM_DEF symmetricTrial = {.algorithm = TPM2_ALG_AES,
+ .keyBits = {.aes = 128},
+ .mode = {.aes = TPM2_ALG_CFB}
+ };
+ TPM2B_NONCE *nonceTpmTrial;
+ TPM2B_NONCE nonceCallerTrial = {
+ .size = 20,
+ .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
+ 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
+ };
+
+ r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+ &nonceCallerTrial,
+ TPM2_SE_TRIAL, &symmetricTrial, TPM2_ALG_SHA1, &sessionTrial,
+ &nonceTpmTrial);
+ goto_if_error(r, "Error: During initialization of policy trial session", error);
+
+ r = Esys_PolicyAuthValue(esys_context,
+ sessionTrial,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE
+ );
+ goto_if_error(r, "Error: PolicyAuthValue", error);
+
+ r = Esys_PolicyCommandCode(esys_context,
+ sessionTrial,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ TPM2_CC_Duplicate
+ );
+ goto_if_error(r, "Error: PolicyCommandCode", error);
+
+ TPM2B_DIGEST *policyDigestTrial;
+ r = Esys_PolicyGetDigest(esys_context,
+ sessionTrial,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ &policyDigestTrial
+ );
+ goto_if_error(r, "Error: PolicyGetDigest", error);
+
+ TPM2B_AUTH authValuePrimary = {
+ .size = 5,
+ .buffer = {1, 2, 3, 4, 5}
+ };
+
+ TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
+ .size = 4,
+ .sensitive = {
+ .userAuth = {
+ .size = 0,
+ .buffer = {0 },
+ },
+ .data = {
+ .size = 0,
+ .buffer = {0},
+ },
+ },
+ };
+
+ inSensitivePrimary.sensitive.userAuth = authValuePrimary;
+
+ TPM2B_PUBLIC inPublic = {
+ .size = 0,
+ .publicArea = {
+ .type = TPM2_ALG_RSA,
+ .nameAlg = TPM2_ALG_SHA1,
+ .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
+ TPMA_OBJECT_RESTRICTED |
+ TPMA_OBJECT_DECRYPT |
+ TPMA_OBJECT_FIXEDTPM |
+ TPMA_OBJECT_FIXEDPARENT |
+ TPMA_OBJECT_SENSITIVEDATAORIGIN),
+ .authPolicy = {
+ .size = 0,
+ },
+ .parameters.rsaDetail = {
+ .symmetric = {
+ .algorithm = TPM2_ALG_AES,
+ .keyBits.aes = 128,
+ .mode.aes = TPM2_ALG_CFB},
+ .scheme = {
+ .scheme = TPM2_ALG_NULL
+ },
+ .keyBits = 2048,
+ .exponent = 65537,
+ },
+ .unique.rsa = {
+ .size = 0,
+ .buffer = {},
+ },
+ },
+ };
+ LOG_INFO("\nRSA key will be created.");
+ TPM2B_DATA outsideInfo = {
+ .size = 0,
+ .buffer = {},
+ };
+
+ TPML_PCR_SELECTION creationPCR = {
+ .count = 0,
+ };
+
+ TPM2B_AUTH authValue = {
+ .size = 0,
+ .buffer = {}
+ };
+
+ r = Esys_TR_SetAuth(esys_context, ESYS_TR_RH_OWNER, &authValue);
+ goto_if_error(r, "Error: TR_SetAuth", error);
+
+ ESYS_TR primaryHandle_handle;
+ ESYS_TR primaryHandle_handle2;
+ RSRC_NODE_T *primaryHandle_node;
+ TPM2B_PUBLIC *outPublic;
+ TPM2B_CREATION_DATA *creationData;
+ TPM2B_DIGEST *creationHash;
+ TPMT_TK_CREATION *creationTicket;
+
+ r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
+ ESYS_TR_NONE, ESYS_TR_NONE,
+ &inSensitivePrimary, &inPublic,
+ &outsideInfo, &creationPCR, &primaryHandle_handle,
+ &outPublic, &creationData, &creationHash,
+ &creationTicket);
+ goto_if_error(r, "Error esys create primary", error);
+
+ r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
+ ESYS_TR_NONE, ESYS_TR_NONE,
+ &inSensitivePrimary, &inPublic,
+ &outsideInfo, &creationPCR, &primaryHandle_handle2,
+ &outPublic, &creationData, &creationHash,
+ &creationTicket);
+ goto_if_error(r, "Error esys create primary", error);
+
+ r = esys_GetResourceObject(esys_context, primaryHandle_handle,
+ &primaryHandle_node);
+ goto_if_error(r, "Error Esys GetResourceObject", error);
+
+ LOG_INFO("Created Primary with handle 0x%08x...",
+ primaryHandle_node->rsrc.handle);
+
+ r = Esys_TR_SetAuth(esys_context, primaryHandle_handle, &authValuePrimary);
+ goto_if_error(r, "Error: TR_SetAuth", error);
+
+ TPM2B_AUTH authKey2 = {
+ .size = 6,
+ .buffer = {6, 7, 8, 9, 10, 11}
+ };
+
+ TPM2B_SENSITIVE_CREATE inSensitive2 = {
+ .size = 1,
+ .sensitive = {
+ .userAuth = {
+ .size = 0,
+ .buffer = {0}
+ },
+ .data = {
+ .size = 0,
+ .buffer = {}
+ }
+ }
+ };
+
+ inSensitive2.sensitive.userAuth = authKey2;
+
+ TPM2B_PUBLIC inPublic2 = {
+ .size = 0,
+ .publicArea = {
+ .type = TPM2_ALG_RSA,
+ .nameAlg = TPM2_ALG_SHA1,
+ .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
+ TPMA_OBJECT_RESTRICTED |
+ TPMA_OBJECT_DECRYPT |
+ TPMA_OBJECT_SENSITIVEDATAORIGIN),
+
+ .authPolicy = {
+ .size = 0,
+ },
+ .parameters.rsaDetail = {
+ .symmetric = {
+ .algorithm = TPM2_ALG_AES,
+ .keyBits.aes = 128,
+ .mode.aes = TPM2_ALG_CFB
+ },
+ .scheme = {
+ .scheme =
+ TPM2_ALG_NULL,
+ },
+ .keyBits = 2048,
+ .exponent = 65537
+ },
+ .unique.rsa = {
+ .size = 0,
+ .buffer = {}
+ ,
+ }
+ }
+ };
+
+ TPM2B_DATA outsideInfo2 = {
+ .size = 0,
+ .buffer = {}
+ ,
+ };
+
+ TPML_PCR_SELECTION creationPCR2 = {
+ .count = 0,
+ };
+
+ TPM2B_PUBLIC *outPublic2;
+ TPM2B_PRIVATE *outPrivate2;
+ TPM2B_CREATION_DATA *creationData2;
+ TPM2B_DIGEST *creationHash2;
+ TPMT_TK_CREATION *creationTicket2;
+
+ inPublic2.publicArea.authPolicy = *policyDigestTrial;
+
+ r = Esys_Create(esys_context,
+ primaryHandle_handle,
+ ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
+ &inSensitive2,
+ &inPublic2,
+ &outsideInfo2,
+ &creationPCR2,
+ &outPrivate2,
+ &outPublic2,
+ &creationData2, &creationHash2, &creationTicket2);
+ goto_if_error(r, "Error esys create ", error);
+
+ LOG_INFO("\nSecond key created.");
+
+ ESYS_TR loadedKeyHandle;
+
+ r = Esys_Load(esys_context,
+ primaryHandle_handle,
+ ESYS_TR_PASSWORD,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE, outPrivate2, outPublic2, &loadedKeyHandle);
+ goto_if_error(r, "Error esys load ", error);
+
+ LOG_INFO("\nSecond Key loaded.");
+
+ r = Esys_TR_SetAuth(esys_context, loadedKeyHandle, &authKey2);
+ goto_if_error(r, "Error esys TR_SetAuth ", error);
+
+ TPM2B_PUBLIC *keyPublic;
+ TPM2B_NAME *keyName;
+ TPM2B_NAME *keyQualifiedName;
+
+ r = Esys_ReadPublic(esys_context,
+ loadedKeyHandle,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ &keyPublic,
+ &keyName,
+ &keyQualifiedName);
+
+ goto_if_error(r, "Error esys ReadPublic", error);
+
+ ESYS_TR policySession;
+ TPMT_SYM_DEF policySymmetric = {.algorithm = TPM2_ALG_AES,
+ .keyBits = {.aes = 128},
+ .mode = {.aes = TPM2_ALG_CFB}
+ };
+ TPM2B_NONCE *policyNonceTpm;
+ TPM2B_NONCE policyNonceCaller = {
+ .size = 20,
+ .buffer = {11, 12, 13, 14, 15, 16, 17, 18, 19, 11,
+ 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}
+ };
+
+ r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+ &policyNonceCaller,
+ TPM2_SE_POLICY, &policySymmetric, TPM2_ALG_SHA1, &policySession,
+ &policyNonceTpm);
+ goto_if_error(r, "Error: During initialization of policy trial session", error);
+
+
+ r = Esys_PolicyAuthValue(esys_context,
+ policySession,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE
+ );
+ goto_if_error(r, "Error: PolicyAuthValue", error);
+
+ r = Esys_PolicyCommandCode(esys_context,
+ policySession,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ TPM2_CC_Duplicate
+ );
+ goto_if_error(r, "Error: PolicyCommandCode", error);
+
+ TPM2B_DATA encryptionKey = {0};
+
+ TPMT_SYM_DEF_OBJECT symmetric = {.algorithm = TPM2_ALG_NULL,
+ .keyBits = {.aes = 128},
+ .mode = {.aes = TPM2_ALG_CFB}};
+
+ TPM2B_DATA *encryptionKeyOut;
+ TPM2B_PRIVATE *duplicate;
+ TPM2B_ENCRYPTED_SECRET *outSymSeed;
+
+ r = Esys_Duplicate(
+ esys_context,
+ loadedKeyHandle,
+ primaryHandle_handle2,
+ policySession,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ &encryptionKey,
+ &symmetric,
+ &encryptionKeyOut,
+ &duplicate,
+ &outSymSeed);
+
+ goto_if_error(r, "Error: Duplicate", error);
+
+ TPM2B_NAME *nameKeySign;
+ TPM2B_PRIVATE *outPrivate;
+
+ r = Esys_ReadPublic(esys_context,
+ loadedKeyHandle,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ &outPublic,
+ &nameKeySign,
+ &keyQualifiedName);
+ goto_if_error(r, "Error: ReadPublic", error);
+
+ r = Esys_Import(
+ esys_context,
+ primaryHandle_handle,
+ ESYS_TR_PASSWORD,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE,
+ encryptionKeyOut,
+ outPublic,
+ duplicate,
+ outSymSeed,
+ &symmetric,
+ &outPrivate);
+ goto_if_error(r, "Error: Import", error);
+
+ r = Esys_FlushContext(esys_context, primaryHandle_handle);
+ goto_if_error(r, "Flushing context", error);
+
+ r = Esys_FlushContext(esys_context, primaryHandle_handle2);
+ goto_if_error(r, "Flushing context", error);
+
+ r = Esys_FlushContext(esys_context, loadedKeyHandle);
+ goto_if_error(r, "Flushing context", error);
+
+ return 0;
+
+ error:
+ return 1;
+}