def test_unseal_with_wrong_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 17
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        # Extend first a PCR that is not part of the policy and try to unseal.
        # This should succeed.

        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
        tpm2.extend_pcr(1, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)

        # Then, extend a PCR that is part of the policy and try to unseal.
        # This should fail.
        tpm2.extend_pcr(16, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        rc = 0

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except ProtocolError, e:
            rc = e.rc
            tpm2.flush_context(handle)
    def test_unseal_with_wrong_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 17
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        # Extend first a PCR that is not part of the policy and try to unseal.
        # This should succeed.

        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
        tpm2.extend_pcr(1, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)

        # Then, extend a PCR that is part of the policy and try to unseal.
        # This should fail.
        tpm2.extend_pcr(16, 'X' * ds)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        rc = 0

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except ProtocolError, e:
            rc = e.rc
            tpm2.flush_context(handle)
    def test_seal_with_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 15
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)
    def test_seal_with_auth(self):
        data = 'X' * 64
        auth = 'A' * 15

        blob = tpm2.seal(self.root_key, data, auth, None)
        result = tpm2.unseal(self.root_key, blob, auth, None)
        self.assertEqual(data, result)
    def test_seal_with_policy(self):
        handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)

        data = 'X' * 64
        auth = 'A' * 15
        pcrs = [16]

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            policy_dig = tpm2.get_policy_digest(handle)
        finally:
            tpm2.flush_context(handle)

        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)

        try:
            tpm2.policy_pcr(handle, pcrs)
            tpm2.policy_password(handle)

            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)
    def test_seal_with_auth(self):
        data = 'X' * 64
        auth = 'A' * 15

        blob = tpm2.seal(self.root_key, data, auth, None)
        result = tpm2.unseal(self.root_key, blob, auth, None)
        self.assertEqual(data, result)
    def test_unseal_with_wrong_auth(self):
        data = 'X' * 64
        auth = 'A' * 20
        rc = 0

        blob = tpm2.seal(self.root_key, data, auth, None)
        try:
            result = tpm2.unseal(self.root_key, blob, auth[:-1] + 'B', None)
        except ProtocolError, e:
            rc = e.rc
    def test_unseal_with_wrong_auth(self):
        data = 'X' * 64
        auth = 'A' * 20
        rc = 0

        blob = tpm2.seal(self.root_key, data, auth, None)
        try:
            result = tpm2.unseal(self.root_key, blob, auth[:-1] + 'B', None)
        except ProtocolError, e:
            rc = e.rc
    def test_seal_with_policy_script(self):
        data = 'X' * 32
        auth = '\0' * 20
        pcrs = [16]

        policy_dig = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'.split()).rstrip().decode('hex')
        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split()).rstrip()
        handle = int(handle, 0)

        try:
            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)
    def test_seal_with_policy_script(self):
        data = 'X' * 32
        auth = '\0' * 20
        pcrs = [16]

        policy_dig = check_output(
            './tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'.
            split()).rstrip().decode('hex')
        blob = tpm2.seal(self.root_key, data, auth, policy_dig)

        handle = check_output(
            './tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split(
            )).rstrip()
        handle = int(handle, 0)

        try:
            result = tpm2.unseal(self.root_key, blob, auth, handle)
        except:
            tpm2.flush_context(handle)
            raise

        self.assertEqual(data, result)