1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3 * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4 * All rights reserved.
5 *******************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10
11 #include <stdlib.h>
12 #include <string.h>
13
14 #include "tss2_fapi.h"
15
16 #include "test-fapi.h"
17 #include "fapi_util.h"
18 #include "fapi_int.h"
19
20 #include "esys_iutil.h"
21 #define LOGMODULE test
22 #include "util/log.h"
23 #include "util/aux_util.h"
24
25 #define PASSWORD "abc"
26 #define SIGN_TEMPLATE "sign,noDa"
27
28 static TSS2_RC
auth_callback(char const * objectPath,char const * description,const char ** auth,void * userData)29 auth_callback(
30 char const *objectPath,
31 char const *description,
32 const char **auth,
33 void *userData)
34 {
35 UNUSED(description);
36 UNUSED(userData);
37
38 if (!objectPath) {
39 return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
40 }
41
42 char *pw = PASSWORD;
43 if (!pw)
44 return TSS2_FAPI_RC_GENERAL_FAILURE;
45
46 *auth = pw;
47 return TSS2_RC_SUCCESS;
48 }
49
50 /** Test the FAPI functions for key creation and usage with an SH password.
51 *
52 * Tested FAPI commands:
53 * - Fapi_Provision()
54 * - Fapi_SetAuthCB()
55 * - Fapi_CreateKey()
56 * - Fapi_GetTpmBlobs()
57 * - Fapi_Sign()
58 * - Fapi_SetCertificate()
59 * - Fapi_List()
60 * - Fapi_ChangeAuth()
61 * - Fapi_Delete()
62 *
63 * @param[in,out] context The FAPI_CONTEXT.
64 * @retval EXIT_FAILURE
65 * @retval EXIT_SUCCESS
66 */
67 int
test_fapi_key_create_sign_password_provision(FAPI_CONTEXT * context)68 test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context)
69 {
70 TSS2_RC r;
71 char *sigscheme = NULL;
72 uint8_t *publicblob = NULL;
73 uint8_t *privateblob = NULL;
74 char *policy = NULL;
75 uint8_t *signature = NULL;
76 char *publicKey = NULL;
77 char *certificate = NULL;
78 char *path_list = NULL;
79 char *policy_name = "/policy/pol_pcr16_0";
80 char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0.json";
81 FILE *stream = NULL;
82 char *json_policy = NULL;
83 long policy_size;
84
85 size_t publicsize;
86 size_t privatesize;
87
88 const char *cert =
89 "-----BEGIN CERTIFICATE-----\n"
90 "MIIDBjCCAe4CCQDcvXBOEVM0UTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE\n"
91 "RTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n"
92 "cyBQdHkgTHRkMB4XDTE5MDIyODEwNDkyM1oXDTM1MDgyNzEwNDkyM1owRTELMAkG\n"
93 "A1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\n"
94 "IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
95 "AKBi+iKwkgM55iCMwXrLCJlu7TzlMu/LlkyGrm99ip2B5+/Cl6a62d8pKelg6zkH\n"
96 "jI7+AAPteJiW4O+2qVWF8hJ5BXTjGtYbM0iZ6enCb8eyC54C7xVMc21ZIv3ob4Et\n"
97 "50ZOuzY2pfpzE3vIaXt1CkHlfyI/hdK+mM/dVvuCz5p3AIlHrEWS3rSNgWbCsB2E\n"
98 "TM55qSGKaLmtTbUvEKRF0TJrFLntfXkv10QD5pgn52+QV9k59OogqZOsDvkXzKPX\n"
99 "rXF+XC0gLiGBEGAr1dv9F03xMOtO77bQTdGOeC61Tip6Nb0V3ebMckZXwdFi+Nhe\n"
100 "FRuU33CaObtV6u5PZvSue/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcamUPe8I\n"
101 "nMOHcv9x5lVN1joihVRmKc0QqNLFc6XpJY8+U5rGkZvOcDe9Da8L97wDNXpKmU/q\n"
102 "pprj3rT8l3v0Z5xs8Vdr8lxS6T5NhqQV0UCsn1x14gZJcE48y9/LazYi6Zcar+BX\n"
103 "Am4vewAV3HmQ8X2EctsRhXe4wlAq4slIfEWaaofa8ai7BzO9KwpMLsGPWoNetkB9\n"
104 "19+SFt0lFFOj/6vDw5pCpSd1nQlo1ug69mJYSX/wcGkV4t4LfGhV8jRPDsGs6I5n\n"
105 "ETHSN5KV1XCPYJmRCjFY7sIt1x4zN7JJRO9DVw+YheIlduVfkBiF+GlQgLlFTjrJ\n"
106 "VrpSGMIFSu301A==\n"
107 "-----END CERTIFICATE-----\n";
108
109 if (strcmp("P_ECC", fapi_profile) != 0)
110 sigscheme = "RSA_PSS";
111
112 /* We need to reset the passwords again, in order to not brick physical TPMs */
113 r = Fapi_Provision(context, NULL, PASSWORD, NULL);
114 goto_if_error(r, "Error Fapi_Provision", error);
115
116 r = Fapi_SetAuthCB(context, auth_callback, NULL);
117 goto_if_error(r, "Error SetPolicyAuthCallback", error);
118
119 stream = fopen(policy_file, "r");
120 if (!stream) {
121 LOG_ERROR("File %s does not exist", policy_file);
122 goto error;
123 }
124 fseek(stream, 0L, SEEK_END);
125 policy_size = ftell(stream);
126 fclose(stream);
127 json_policy = malloc(policy_size + 1);
128 goto_if_null(json_policy,
129 "Could not allocate memory for the JSON policy",
130 TSS2_FAPI_RC_MEMORY, error);
131 stream = fopen(policy_file, "r");
132 ssize_t ret = read(fileno(stream), json_policy, policy_size);
133 if (ret != policy_size) {
134 LOG_ERROR("IO error %s.", policy_file);
135 goto error;
136 }
137 json_policy[policy_size] = '\0';
138
139 r = Fapi_Import(context, policy_name, json_policy);
140 goto_if_error(r, "Error Fapi_Import", error);
141
142 r = Fapi_CreateKey(context, "HS/SRK/mySignKey", SIGN_TEMPLATE, policy_name,
143 PASSWORD);
144
145 goto_if_error(r, "Error Fapi_CreateKey", error);
146 size_t signatureSize = 0;
147
148 TPM2B_DIGEST digest = {
149 .size = 20,
150 .buffer = {
151 0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
152 0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
153 }
154 };
155
156 r = Fapi_GetTpmBlobs(context, "HS/SRK/mySignKey", &publicblob,
157 &publicsize,
158 &privateblob, &privatesize, &policy);
159 goto_if_error(r, "Error Fapi_GetTpmBlobs", error);
160 ASSERT(publicblob != NULL);
161 ASSERT(privateblob != NULL);
162 ASSERT(policy != NULL);
163 ASSERT(strlen(policy) > ASSERT_SIZE);
164
165 r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", cert);
166 goto_if_error(r, "Error Fapi_SetCertificate", error);
167
168 r = Fapi_Sign(context, "HS/SRK/mySignKey", sigscheme,
169 &digest.buffer[0], digest.size, &signature, &signatureSize,
170 &publicKey, &certificate);
171 goto_if_error(r, "Error Fapi_Sign", error);
172 ASSERT(signature != NULL);
173 ASSERT(publicKey != NULL);
174 ASSERT(certificate != NULL);
175 LOG_INFO("Public key: %s", publicKey);
176 ASSERT(strstr(publicKey, "BEGIN PUBLIC KEY"));
177 LOG_INFO("Certificate: %s", certificate);
178 ASSERT(strstr(certificate, "BEGIN CERTIFICATE"));
179
180 r = Fapi_List(context, "/", &path_list);
181 goto_if_error(r, "Error Fapi_Delete", error);
182 ASSERT(path_list != NULL);
183 ASSERT(strlen(path_list) > ASSERT_SIZE);
184
185 fprintf(stderr, "\nPathList:\n%s\n", path_list);
186
187 /* We need to reset the passwords again, in order to not brick physical TPMs */
188 r = Fapi_ChangeAuth(context, "/HS", NULL);
189 goto_if_error(r, "Error Fapi_ChangeAuth", error);
190
191 r = Fapi_Delete(context, "/");
192 goto_if_error(r, "Error Fapi_Delete", error);
193
194 SAFE_FREE(publicblob);
195 SAFE_FREE(privateblob);
196 SAFE_FREE(policy);
197 SAFE_FREE(signature);
198 SAFE_FREE(publicKey);
199 SAFE_FREE(certificate);
200 SAFE_FREE(path_list);
201 SAFE_FREE(json_policy);
202 return EXIT_SUCCESS;
203
204 error:
205 Fapi_Delete(context, "/");
206 SAFE_FREE(publicblob);
207 SAFE_FREE(privateblob);
208 SAFE_FREE(policy);
209 SAFE_FREE(signature);
210 SAFE_FREE(publicKey);
211 SAFE_FREE(certificate);
212 SAFE_FREE(path_list);
213 SAFE_FREE(json_policy);
214 return EXIT_FAILURE;
215 }
216
217 int
test_invoke_fapi(FAPI_CONTEXT * fapi_context)218 test_invoke_fapi(FAPI_CONTEXT *fapi_context)
219 {
220 return test_fapi_key_create_sign_password_provision(fapi_context);
221 }
222