1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*******************************************************************************
3  * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
4  * All rights reserved.
5  *******************************************************************************/
6 
7 #ifdef HAVE_CONFIG_H
8 #include <config.h>
9 #endif
10 
11 #include <stdlib.h>
12 #include <string.h>
13 
14 #include "tss2_fapi.h"
15 
16 #include "test-fapi.h"
17 #include "fapi_util.h"
18 #include "fapi_int.h"
19 
20 #include "esys_iutil.h"
21 #define LOGMODULE test
22 #include "util/log.h"
23 #include "util/aux_util.h"
24 
25 #define PASSWORD "abc"
26 #define SIGN_TEMPLATE "sign,noDa"
27 
28 static TSS2_RC
auth_callback(char const * objectPath,char const * description,const char ** auth,void * userData)29 auth_callback(
30     char const *objectPath,
31     char const *description,
32     const char **auth,
33     void *userData)
34 {
35     UNUSED(description);
36     UNUSED(userData);
37 
38     if (!objectPath) {
39         return_error(TSS2_FAPI_RC_BAD_VALUE, "No path.");
40     }
41 
42     char *pw = PASSWORD;
43     if (!pw)
44         return TSS2_FAPI_RC_GENERAL_FAILURE;
45 
46     *auth = pw;
47     return TSS2_RC_SUCCESS;
48 }
49 
50 /** Test the FAPI functions for key creation and usage with an SH password.
51  *
52  * Tested FAPI commands:
53  *  - Fapi_Provision()
54  *  - Fapi_SetAuthCB()
55  *  - Fapi_CreateKey()
56  *  - Fapi_GetTpmBlobs()
57  *  - Fapi_Sign()
58  *  - Fapi_SetCertificate()
59  *  - Fapi_List()
60  *  - Fapi_ChangeAuth()
61  *  - Fapi_Delete()
62  *
63  * @param[in,out] context The FAPI_CONTEXT.
64  * @retval EXIT_FAILURE
65  * @retval EXIT_SUCCESS
66  */
67 int
test_fapi_key_create_sign_password_provision(FAPI_CONTEXT * context)68 test_fapi_key_create_sign_password_provision(FAPI_CONTEXT *context)
69 {
70     TSS2_RC r;
71     char *sigscheme = NULL;
72     uint8_t       *publicblob = NULL;
73     uint8_t       *privateblob = NULL;
74     char          *policy = NULL;
75     uint8_t *signature = NULL;
76     char    *publicKey = NULL;
77     char    *certificate = NULL;
78     char *path_list = NULL;
79     char *policy_name = "/policy/pol_pcr16_0";
80     char *policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0.json";
81     FILE *stream = NULL;
82     char *json_policy = NULL;
83     long policy_size;
84 
85     size_t         publicsize;
86     size_t         privatesize;
87 
88     const char *cert =
89         "-----BEGIN CERTIFICATE-----\n"
90         "MIIDBjCCAe4CCQDcvXBOEVM0UTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJE\n"
91         "RTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n"
92         "cyBQdHkgTHRkMB4XDTE5MDIyODEwNDkyM1oXDTM1MDgyNzEwNDkyM1owRTELMAkG\n"
93         "A1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\n"
94         "IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
95         "AKBi+iKwkgM55iCMwXrLCJlu7TzlMu/LlkyGrm99ip2B5+/Cl6a62d8pKelg6zkH\n"
96         "jI7+AAPteJiW4O+2qVWF8hJ5BXTjGtYbM0iZ6enCb8eyC54C7xVMc21ZIv3ob4Et\n"
97         "50ZOuzY2pfpzE3vIaXt1CkHlfyI/hdK+mM/dVvuCz5p3AIlHrEWS3rSNgWbCsB2E\n"
98         "TM55qSGKaLmtTbUvEKRF0TJrFLntfXkv10QD5pgn52+QV9k59OogqZOsDvkXzKPX\n"
99         "rXF+XC0gLiGBEGAr1dv9F03xMOtO77bQTdGOeC61Tip6Nb0V3ebMckZXwdFi+Nhe\n"
100         "FRuU33CaObtV6u5PZvSue/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcamUPe8I\n"
101         "nMOHcv9x5lVN1joihVRmKc0QqNLFc6XpJY8+U5rGkZvOcDe9Da8L97wDNXpKmU/q\n"
102         "pprj3rT8l3v0Z5xs8Vdr8lxS6T5NhqQV0UCsn1x14gZJcE48y9/LazYi6Zcar+BX\n"
103         "Am4vewAV3HmQ8X2EctsRhXe4wlAq4slIfEWaaofa8ai7BzO9KwpMLsGPWoNetkB9\n"
104         "19+SFt0lFFOj/6vDw5pCpSd1nQlo1ug69mJYSX/wcGkV4t4LfGhV8jRPDsGs6I5n\n"
105         "ETHSN5KV1XCPYJmRCjFY7sIt1x4zN7JJRO9DVw+YheIlduVfkBiF+GlQgLlFTjrJ\n"
106         "VrpSGMIFSu301A==\n"
107         "-----END CERTIFICATE-----\n";
108 
109     if (strcmp("P_ECC", fapi_profile) != 0)
110         sigscheme = "RSA_PSS";
111 
112     /* We need to reset the passwords again, in order to not brick physical TPMs */
113     r = Fapi_Provision(context, NULL, PASSWORD, NULL);
114     goto_if_error(r, "Error Fapi_Provision", error);
115 
116     r = Fapi_SetAuthCB(context, auth_callback, NULL);
117     goto_if_error(r, "Error SetPolicyAuthCallback", error);
118 
119     stream = fopen(policy_file, "r");
120     if (!stream) {
121         LOG_ERROR("File %s does not exist", policy_file);
122         goto error;
123     }
124     fseek(stream, 0L, SEEK_END);
125     policy_size = ftell(stream);
126     fclose(stream);
127     json_policy = malloc(policy_size + 1);
128     goto_if_null(json_policy,
129             "Could not allocate memory for the JSON policy",
130             TSS2_FAPI_RC_MEMORY, error);
131     stream = fopen(policy_file, "r");
132     ssize_t ret = read(fileno(stream), json_policy, policy_size);
133     if (ret != policy_size) {
134         LOG_ERROR("IO error %s.", policy_file);
135         goto error;
136     }
137     json_policy[policy_size] = '\0';
138 
139     r = Fapi_Import(context, policy_name, json_policy);
140     goto_if_error(r, "Error Fapi_Import", error);
141 
142     r = Fapi_CreateKey(context, "HS/SRK/mySignKey", SIGN_TEMPLATE, policy_name,
143                        PASSWORD);
144 
145     goto_if_error(r, "Error Fapi_CreateKey", error);
146     size_t signatureSize = 0;
147 
148     TPM2B_DIGEST digest = {
149         .size = 20,
150         .buffer = {
151             0x67, 0x68, 0x03, 0x3e, 0x21, 0x64, 0x68, 0x24, 0x7b, 0xd0,
152             0x31, 0xa0, 0xa2, 0xd9, 0x87, 0x6d, 0x79, 0x81, 0x8f, 0x8f
153         }
154     };
155 
156     r = Fapi_GetTpmBlobs(context,  "HS/SRK/mySignKey", &publicblob,
157                          &publicsize,
158                          &privateblob, &privatesize, &policy);
159     goto_if_error(r, "Error Fapi_GetTpmBlobs", error);
160     ASSERT(publicblob != NULL);
161     ASSERT(privateblob != NULL);
162     ASSERT(policy != NULL);
163     ASSERT(strlen(policy) > ASSERT_SIZE);
164 
165     r = Fapi_SetCertificate(context, "HS/SRK/mySignKey", cert);
166     goto_if_error(r, "Error Fapi_SetCertificate", error);
167 
168     r = Fapi_Sign(context, "HS/SRK/mySignKey", sigscheme,
169                   &digest.buffer[0], digest.size, &signature, &signatureSize,
170                   &publicKey, &certificate);
171     goto_if_error(r, "Error Fapi_Sign", error);
172     ASSERT(signature != NULL);
173     ASSERT(publicKey != NULL);
174     ASSERT(certificate != NULL);
175     LOG_INFO("Public key: %s", publicKey);
176     ASSERT(strstr(publicKey, "BEGIN PUBLIC KEY"));
177     LOG_INFO("Certificate: %s", certificate);
178     ASSERT(strstr(certificate, "BEGIN CERTIFICATE"));
179 
180     r = Fapi_List(context, "/", &path_list);
181     goto_if_error(r, "Error Fapi_Delete", error);
182     ASSERT(path_list != NULL);
183     ASSERT(strlen(path_list) > ASSERT_SIZE);
184 
185     fprintf(stderr, "\nPathList:\n%s\n", path_list);
186 
187     /* We need to reset the passwords again, in order to not brick physical TPMs */
188     r = Fapi_ChangeAuth(context, "/HS", NULL);
189     goto_if_error(r, "Error Fapi_ChangeAuth", error);
190 
191     r = Fapi_Delete(context, "/");
192     goto_if_error(r, "Error Fapi_Delete", error);
193 
194     SAFE_FREE(publicblob);
195     SAFE_FREE(privateblob);
196     SAFE_FREE(policy);
197     SAFE_FREE(signature);
198     SAFE_FREE(publicKey);
199     SAFE_FREE(certificate);
200     SAFE_FREE(path_list);
201     SAFE_FREE(json_policy);
202     return EXIT_SUCCESS;
203 
204 error:
205     Fapi_Delete(context, "/");
206     SAFE_FREE(publicblob);
207     SAFE_FREE(privateblob);
208     SAFE_FREE(policy);
209     SAFE_FREE(signature);
210     SAFE_FREE(publicKey);
211     SAFE_FREE(certificate);
212     SAFE_FREE(path_list);
213     SAFE_FREE(json_policy);
214     return EXIT_FAILURE;
215 }
216 
217 int
test_invoke_fapi(FAPI_CONTEXT * fapi_context)218 test_invoke_fapi(FAPI_CONTEXT *fapi_context)
219 {
220     return test_fapi_key_create_sign_password_provision(fapi_context);
221 }
222