def create_from_tss_key(self, pobj, objauth, hierarchyauth, tpm2, alg,
keypath, d):
keypath = keypath[0]
with open(keypath, "rb") as f:
keybytes = f.read()
tss2_privkey = TSSPrivKey.from_pem(keybytes)
is_empty_auth = tss2_privkey.empty_auth
phandle = tss2_privkey.parent
pubbytes = tss2_privkey.public.marshal()
privbytes = tss2_privkey.private.marshal()
pid = pobj['id']
pobj_config = yaml.safe_load(pobj['config'])
is_transient = pobj_config['transient']
if not is_transient and (phandle == tpm2.TPM2_RH_OWNER or \
(phandle >> tpm2.TPM2_HR_SHIFT != tpm2.TPM2_HT_PERSISTENT)):
sys.exit('The primary object (id: {:d}) is persistent and'
' the TSS Engine key does not have a persistent parent,'
' got: 0x{:x}'.format(pid, phandle))
elif is_transient and not (phandle == tpm2.TPM2_RH_OWNER
or phandle == 0):
# tpm2-tss-engine < 1.1.0 used a phandle of 0 instead of tpm2.TPM2_RH_OWNER
sys.exit('The primary object (id: {:d}) is transient and'
' the TSS Engine key has a parent handle,'
' got: 0x{:x}'.format(pid, phandle))
if is_empty_auth and len(self._auth) if self._auth is not None else 0:
sys.exit(
'Key expected to have auth value, please specify via option --auth'
)
if not is_transient:
# Im diving into the ESYS_TR serialized format,
# this isn't the smartest thing to do...
hexhandle = pobj_config['esys-tr']
handle_bytes = binascii.unhexlify(hexhandle)[0:4]
expected_handle = struct.unpack(">I", handle_bytes)[0]
if phandle != expected_handle:
sys.exit("Key must be parent of 0x{:X}, got 0x{:X}".format(
expected_handle, phandle))
pobj_handle = get_pobject(pobj, tpm2, hierarchyauth, d)
pobjauth = pobj['objauth']
ctx = tpm2.load(pobj_handle, pobjauth, privbytes, pubbytes)
tertiarypubdata, _ = tpm2.readpublic(ctx, False)
privfd, tertiarypriv = mkstemp(prefix='', suffix='.priv', dir=d)
try:
os.write(privfd, privbytes)
finally:
os.close(privfd)
pubfd, tertiarypub = mkstemp(prefix='', suffix='.pub', dir=d)
try:
os.write(pubfd, pubbytes)
finally:
os.close(pubfd)
return (tertiarypriv, tertiarypub, tertiarypubdata)
def test_rsa_topem(self):
key = TSSPrivKey.from_pem(rsa_pem)
pem = key.to_pem()
self.assertEqual(pem, rsa_pem)
def test_bad_pem_type(self):
bad_pem = rsa_pem.replace(b"TSS2", b"BORK")
with self.assertRaises(TypeError) as e:
TSSPrivKey.from_pem(bad_pem)
self.assertEqual(str(e.exception), "unsupported PEM type")
def test_rsa_frompem(self):
key = TSSPrivKey.from_pem(rsa_pem)