def test_seal_with_auth(self): data = 'X' * 64 auth = 'A' * 15 blob = tpm2.seal(self.root_key, data, auth, None) result = tpm2.unseal(self.root_key, blob, auth, None) self.assertEqual(data, result)
def test_seal_with_policy(self): handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL) data = 'X' * 64 auth = 'A' * 15 pcrs = [16] try: tpm2.policy_pcr(handle, pcrs) tpm2.policy_password(handle) policy_dig = tpm2.get_policy_digest(handle) finally: tpm2.flush_context(handle) blob = tpm2.seal(self.root_key, data, auth, policy_dig) handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY) try: tpm2.policy_pcr(handle, pcrs) tpm2.policy_password(handle) result = tpm2.unseal(self.root_key, blob, auth, handle) except: tpm2.flush_context(handle) raise self.assertEqual(data, result)
def test_seal_with_too_long_auth(self): ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1) data = 'X' * 64 auth = 'A' * (ds + 1) rc = 0 try: blob = tpm2.seal(self.root_key, data, auth, None) except ProtocolError, e: rc = e.rc
def test_unseal_with_wrong_auth(self): data = 'X' * 64 auth = 'A' * 20 rc = 0 blob = tpm2.seal(self.root_key, data, auth, None) try: result = tpm2.unseal(self.root_key, blob, auth[:-1] + 'B', None) except ProtocolError, e: rc = e.rc
def test_unseal_with_wrong_policy(self): handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL) data = 'X' * 64 auth = 'A' * 17 pcrs = [16] try: tpm2.policy_pcr(handle, pcrs) tpm2.policy_password(handle) policy_dig = tpm2.get_policy_digest(handle) finally: tpm2.flush_context(handle) blob = tpm2.seal(self.root_key, data, auth, policy_dig) # Extend first a PCR that is not part of the policy and try to unseal. # This should succeed. ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1) tpm2.extend_pcr(1, 'X' * ds) handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY) try: tpm2.policy_pcr(handle, pcrs) tpm2.policy_password(handle) result = tpm2.unseal(self.root_key, blob, auth, handle) except: tpm2.flush_context(handle) raise self.assertEqual(data, result) # Then, extend a PCR that is part of the policy and try to unseal. # This should fail. tpm2.extend_pcr(16, 'X' * ds) handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY) rc = 0 try: tpm2.policy_pcr(handle, pcrs) tpm2.policy_password(handle) result = tpm2.unseal(self.root_key, blob, auth, handle) except ProtocolError, e: rc = e.rc tpm2.flush_context(handle)
def test_seal_with_policy_script(self): data = 'X' * 32 auth = '\0' * 20 pcrs = [16] policy_dig = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'.split()).rstrip().decode('hex') blob = tpm2.seal(self.root_key, data, auth, policy_dig) handle = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split()).rstrip() handle = int(handle, 0) try: result = tpm2.unseal(self.root_key, blob, auth, handle) except: tpm2.flush_context(handle) raise self.assertEqual(data, result)
def test_seal_with_policy_script(self): data = 'X' * 32 auth = '\0' * 20 pcrs = [16] policy_dig = check_output( './tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'. split()).rstrip().decode('hex') blob = tpm2.seal(self.root_key, data, auth, policy_dig) handle = check_output( './tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split( )).rstrip() handle = int(handle, 0) try: result = tpm2.unseal(self.root_key, blob, auth, handle) except: tpm2.flush_context(handle) raise self.assertEqual(data, result)