def test_seal_with_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 15
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_seal_with_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 15
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_seal_with_policy_script(self):
data = 'X' * 32
auth = '\0' * 20
pcrs = [16]
policy_dig = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'.split()).rstrip().decode('hex')
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = check_output('./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split()).rstrip()
handle = int(handle, 0)
try:
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_seal_with_policy_script(self):
data = 'X' * 32
auth = '\0' * 20
pcrs = [16]
policy_dig = check_output(
'./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1 --trial'.
split()).rstrip().decode('hex')
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
handle = check_output(
'./tpm2-pcr-policy --pcr=16 --name-alg=sha1 --bank=sha1'.split(
)).rstrip()
handle = int(handle, 0)
try:
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
def test_unseal_with_wrong_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 17
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
tpm2.extend_pcr(1, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)
def test_unseal_with_wrong_policy(self):
handle = tpm2.start_auth_session(tpm2.TPM2_SE_TRIAL)
data = 'X' * 64
auth = 'A' * 17
pcrs = [16]
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
policy_dig = tpm2.get_policy_digest(handle)
finally:
tpm2.flush_context(handle)
blob = tpm2.seal(self.root_key, data, auth, policy_dig)
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
tpm2.extend_pcr(1, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(data, result)
# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)
def tearDown(self):
tpm2.flush_context(self.root_key)
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(e.rc, tpm2.TPM2_RC_POLICY_FAIL)
def test_seal_with_too_long_auth(self):
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
data = 'X' * 64
auth = 'A' * (ds + 1)
rc = 0
try:
blob = tpm2.seal(self.root_key, data, auth, None)
except ProtocolError, e:
rc = e.rc
def tearDown(self):
tpm2.flush_context(self.root_key)
tpm2.extend_pcr(16, 'X' * ds)
handle = tpm2.start_auth_session(tpm2.TPM2_SE_POLICY)
rc = 0
try:
tpm2.policy_pcr(handle, pcrs)
tpm2.policy_password(handle)
result = tpm2.unseal(self.root_key, blob, auth, handle)
except ProtocolError, e:
rc = e.rc
tpm2.flush_context(handle)
except:
tpm2.flush_context(handle)
raise
self.assertEqual(e.rc, tpm2.TPM2_RC_POLICY_FAIL)
def test_seal_with_too_long_auth(self):
ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
data = 'X' * 64
auth = 'A' * (ds + 1)
rc = 0
try:
blob = tpm2.seal(self.root_key, data, auth, None)
except ProtocolError, e:
rc = e.rc
