def create_from_tss_key(self, pobj, objauth, hierarchyauth, tpm2, alg, keypath, d): keypath = keypath[0] with open(keypath, "rb") as f: keybytes = f.read() tss2_privkey = TSSPrivKey.from_pem(keybytes) is_empty_auth = tss2_privkey.empty_auth phandle = tss2_privkey.parent pubbytes = tss2_privkey.public.marshal() privbytes = tss2_privkey.private.marshal() pid = pobj['id'] pobj_config = yaml.safe_load(pobj['config']) is_transient = pobj_config['transient'] if not is_transient and (phandle == tpm2.TPM2_RH_OWNER or \ (phandle >> tpm2.TPM2_HR_SHIFT != tpm2.TPM2_HT_PERSISTENT)): sys.exit('The primary object (id: {:d}) is persistent and' ' the TSS Engine key does not have a persistent parent,' ' got: 0x{:x}'.format(pid, phandle)) elif is_transient and not (phandle == tpm2.TPM2_RH_OWNER or phandle == 0): # tpm2-tss-engine < 1.1.0 used a phandle of 0 instead of tpm2.TPM2_RH_OWNER sys.exit('The primary object (id: {:d}) is transient and' ' the TSS Engine key has a parent handle,' ' got: 0x{:x}'.format(pid, phandle)) if is_empty_auth and len(self._auth) if self._auth is not None else 0: sys.exit( 'Key expected to have auth value, please specify via option --auth' ) if not is_transient: # Im diving into the ESYS_TR serialized format, # this isn't the smartest thing to do... hexhandle = pobj_config['esys-tr'] handle_bytes = binascii.unhexlify(hexhandle)[0:4] expected_handle = struct.unpack(">I", handle_bytes)[0] if phandle != expected_handle: sys.exit("Key must be parent of 0x{:X}, got 0x{:X}".format( expected_handle, phandle)) pobj_handle = get_pobject(pobj, tpm2, hierarchyauth, d) pobjauth = pobj['objauth'] ctx = tpm2.load(pobj_handle, pobjauth, privbytes, pubbytes) tertiarypubdata, _ = tpm2.readpublic(ctx, False) privfd, tertiarypriv = mkstemp(prefix='', suffix='.priv', dir=d) try: os.write(privfd, privbytes) finally: os.close(privfd) pubfd, tertiarypub = mkstemp(prefix='', suffix='.pub', dir=d) try: os.write(pubfd, pubbytes) finally: os.close(pubfd) return (tertiarypriv, tertiarypub, tertiarypubdata)
def test_rsa_topem(self): key = TSSPrivKey.from_pem(rsa_pem) pem = key.to_pem() self.assertEqual(pem, rsa_pem)
def test_bad_pem_type(self): bad_pem = rsa_pem.replace(b"TSS2", b"BORK") with self.assertRaises(TypeError) as e: TSSPrivKey.from_pem(bad_pem) self.assertEqual(str(e.exception), "unsupported PEM type")
def test_rsa_frompem(self): key = TSSPrivKey.from_pem(rsa_pem)