def test_seal_with_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 15
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)
    def test_seal_with_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 15
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)
    def test_unseal_with_wrong_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 17
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        # Extend first a PCR that is not part of the policy and try to unseal.
        # This should succeed.

        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
        tpm2.extend_pcr(1, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)

        # Then, extend a PCR that is part of the policy and try to unseal.
        # This should fail.
        tpm2.extend_pcr(16, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        rc = 0

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except ProtocolError, e:
            rc = e.rc
            tpm2.flush_context(handle)
    def test_unseal_with_wrong_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 17
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        # Extend first a PCR that is not part of the policy and try to unseal.
        # This should succeed.

        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
        tpm2.extend_pcr(1, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)

        # Then, extend a PCR that is part of the policy and try to unseal.
        # This should fail.
        tpm2.extend_pcr(16, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        rc = 0

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except ProtocolError, e:
            rc = e.rc
            tpm2.flush_context(handle)