def test_unseal_with_wrong_policy(self):
bank_alg = self.determine_bank_alg(1 << 16 | 1 << 1)
self.assertIsNotNone(bank_alg)
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = ('X' * 64).encode()
auth = ('A' * 17).encode()
pcrs = [16]
try:
self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)
policy_dig = self.client.get_policy_digest(handle)
finally:
self.client.flush_context(handle)
blob = self.client.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(bank_alg)
self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)
result = self.client.unseal(self.root_key, blob, auth, handle)
except:
self.client.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)
result = self.client.unseal(self.root_key, blob, auth, handle)
except ProtocolError as e:
rc = e.rc
self.client.flush_context(handle)
except:
self.client.flush_context(handle)
raise
self.assertEqual(rc, tpm2.TPM2_RC_POLICY_FAIL)
def test_seal_with_too_long_auth(self):
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
data = 'X' * 64
auth = 'A' * (ds + 1)
rc = 0
try:
blob = self.client.seal(self.root_key, data, auth, None)
except ProtocolError, e:
rc = e.rc
def test_seal_with_too_long_auth(self):
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
data = ('X' * 64).encode()
auth = ('A' * (ds + 1)).encode()
rc = 0
try:
blob = self.client.seal(self.root_key, data, auth, None)
except ProtocolError as e:
rc = e.rc
self.assertEqual(rc, tpm2.TPM2_RC_SIZE)
def test_unseal_with_wrong_policy(self):
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 17
pcrs = [16]
try:
self.client.policy_pcr(handle, pcrs)
self.client.policy_password(handle)
policy_dig = self.client.get_policy_digest(handle)
finally:
self.client.flush_context(handle)
blob = self.client.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
self.client.extend_pcr(1, 'X' * ds)
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
self.client.policy_pcr(handle, pcrs)
self.client.policy_password(handle)
result = self.client.unseal(self.root_key, blob, auth, handle)
except:
self.client.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
self.client.extend_pcr(16, 'X' * ds)
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
self.client.policy_pcr(handle, pcrs)
self.client.policy_password(handle)
result = self.client.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
self.client.flush_context(handle)