FAPI: Fix exported Key lacks policy field (Addresses #1606)

* The policy was not part of the JSON export data for key duplication.
* The serialization and deserialization of the corresponding FAPI object,
  and the export and import functions were adapted.
* The policy now is included in the key store for the imported object.
* The integration test was renamed, because the test is not RSA specific.

Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>

8 files changed, 56 insertions, 23 deletions

diff --git a/Makefile-test.am b/Makefile-test.am
index 67a652bc..cf676220 100644
--- a/Makefile-test.am
+++ b/Makefile-test.am
@@ -260,7 +260,7 @@ TESTS_CFLAGS +=  -DTOP_SOURCEDIR"=\"$(top_srcdir)\""
 FAPI_TESTS_INTEGRATION = \
     test/integration/fapi-data-crypt.int \
     test/integration/fapi-data-crypt-rsa.int \
-    test/integration/fapi-rsa-duplicate.int \
+    test/integration/fapi-duplicate.int \
     test/integration/fapi-ext-public-key.int \
     test/integration/fapi-get-random.int \
     test/integration/fapi-platform-certificates.int \
@@ -1604,11 +1604,11 @@ test_integration_fapi_data_crypt_rsa_int_SOURCES = \
     test/integration/fapi-data-crypt.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
-test_integration_fapi_rsa_duplicate_int_CFLAGS  = $(TESTS_CFLAGS)
-test_integration_fapi_rsa_duplicate_int_LDADD   = $(TESTS_LDADD)
-test_integration_fapi_rsa_duplicate_int_LDFLAGS = $(TESTS_LDFLAGS)
-test_integration_fapi_rsa_duplicate_int_SOURCES = \
-    test/integration/fapi-rsa-duplicate.int.c \
+test_integration_fapi_duplicate_int_CFLAGS  = $(TESTS_CFLAGS)
+test_integration_fapi_duplicate_int_LDADD   = $(TESTS_LDADD)
+test_integration_fapi_duplicate_int_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_fapi_duplicate_int_SOURCES = \
+    test/integration/fapi-duplicate.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
 
diff --git a/src/tss2-fapi/api/Fapi_ExportKey.c b/src/tss2-fapi/api/Fapi_ExportKey.c
index ab7ee186..42347c0b 100644
--- a/src/tss2-fapi/api/Fapi_ExportKey.c
+++ b/src/tss2-fapi/api/Fapi_ExportKey.c
@@ -340,7 +340,7 @@ Fapi_ExportKey_Finish(
             context->state = EXPORT_KEY_WAIT_FOR_DUPLICATE;
             fallthrough;
 
-        statecase(context->state,  EXPORT_KEY_WAIT_FOR_DUPLICATE);
+        statecase(context->state, EXPORT_KEY_WAIT_FOR_DUPLICATE);
             exportTree->objectType = IFAPI_DUPLICATE_OBJ;
             r = Esys_Duplicate_Finish(context->esys, NULL, &duplicate, &encryptedSeed);
             try_again_or_error_goto(r, "Duplicate", cleanup);
@@ -352,6 +352,10 @@ Fapi_ExportKey_Finish(
             keyTree->public =
                 command->key_object->misc.key.public;
             keyTree->public_parent = command->public_parent;
+
+            /* For the policy added no cleanup is needed. The cleanup will
+               be done with the object cleanup. */
+            keyTree->policy = command->key_object->policy_harness;
             r = ifapi_get_json(context, exportTree, exportedData);
             goto_if_error2(r, "get JSON for exported data.", cleanup);
 
diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c
index d14c1cb1..9a405ca5 100644
--- a/src/tss2-fapi/api/Fapi_Import.c
+++ b/src/tss2-fapi/api/Fapi_Import.c
@@ -204,7 +204,9 @@ Fapi_Import_Async(
         jso = json_tokener_parse(importData);
         return_if_null(jso, "Json error.", TSS2_FAPI_RC_BAD_VALUE);
 
-        if (ifapi_get_sub_object(jso, IFAPI_JSON_TAG_POLICY, &jso2)) {
+        if (ifapi_get_sub_object(jso, IFAPI_JSON_TAG_POLICY, &jso2) &&
+            !(ifapi_get_sub_object(jso, IFAPI_JSON_TAG_DUPLICATE, &jso2))
+            ) {
             /* Create policy object */
             r = ifapi_json_TPMS_POLICY_HARNESS_deserialize(jso, &policyHarness);
             goto_if_error(r, "Serialize policy", cleanup_error);
@@ -375,6 +377,7 @@ Fapi_Import_Finish(
             memset(newObject, 0, sizeof(IFAPI_OBJECT));
             newObject->objectType = IFAPI_KEY_OBJ;
             newObject->misc.key.public = keyTree->public;
+            newObject->policy_harness = keyTree->policy;
             newObject->misc.key.private.size =  command->private->size;
             newObject->misc.key.private.buffer  = &command->private->buffer[0];
             newObject->misc.key.policyInstance = NULL;
@@ -426,6 +429,13 @@ Fapi_Import_Finish(
 
     context->state = _FAPI_STATE_INIT;
     SAFE_FREE(command->out_path);
+
+    /* Cleanup policy for key objects.*/
+    if (newObject->objectType == IFAPI_KEY_OBJ) {
+        if (newObject->policy_harness)
+            ifapi_cleanup_policy_harness(newObject->policy_harness);
+        SAFE_FREE(newObject->policy_harness);
+    }
     SAFE_FREE(command->parent_path);
     ifapi_cleanup_ifapi_object(&command->object);
     SAFE_FREE(command->private);
@@ -437,6 +447,8 @@ Fapi_Import_Finish(
     return TSS2_RC_SUCCESS;
 
 error_cleanup:
+    if (newObject)
+        ifapi_cleanup_ifapi_object(newObject);
     SAFE_FREE(command->out_path);
     SAFE_FREE(command->parent_path);
     ifapi_cleanup_ifapi_object(&command->object);
diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h
index 769d304d..ed4fc160 100644
--- a/src/tss2-fapi/fapi_int.h
+++ b/src/tss2-fapi/fapi_int.h
@@ -83,6 +83,7 @@ typedef UINT8 IFAPI_SESSION_TYPE;
 #define IFAPI_JSON_TAG_CERTIFICATE "certificate"
 #define IFAPI_JSON_TAG_EXT_PUB_KEY "pem_ext_public"
 #define IFAPI_JSON_TAG_POLICY "policy"
+#define IFAPI_JSON_TAG_DUPLICATE "public_parent"
 #define IFAPI_JSON_TAG_POLICY_HARNESS "policy_harness"
 
 
diff --git a/src/tss2-fapi/ifapi_json_deserialize.c b/src/tss2-fapi/ifapi_json_deserialize.c
index ac6ecde6..9494b612 100644
--- a/src/tss2-fapi/ifapi_json_deserialize.c
+++ b/src/tss2-fapi/ifapi_json_deserialize.c
@@ -448,7 +448,22 @@ ifapi_json_IFAPI_DUPLICATE_deserialize(json_object *jso, IFAPI_DUPLICATE *out)
     r =  ifapi_json_TPM2B_PUBLIC_deserialize(jso2, &out->public_parent);
     return_if_error(r, "BAD VALUE");
 
+    if (ifapi_get_sub_object(jso, "policy", &jso2)) {
+        out->policy = calloc(1, sizeof(TPMS_POLICY_HARNESS));
+        goto_if_null2(out->policy, "Out of memory.", r, TSS2_FAPI_RC_MEMORY,
+                      error_cleanup);
+
+        r =  ifapi_json_TPMS_POLICY_HARNESS_deserialize(jso2, out->policy);
+        goto_if_error(r, "Deserialize policy harness.", error_cleanup);
+    } else {
+        out->policy = NULL;
+    }
+
     return TSS2_RC_SUCCESS;
+
+ error_cleanup:
+    SAFE_FREE(out->policy);
+    return r;
 }
 
 /**  Deserialize a IFAPI_OBJECT_TYPE_CONSTANT json object.
diff --git a/src/tss2-fapi/ifapi_json_serialize.c b/src/tss2-fapi/ifapi_json_serialize.c
index 71807804..839ae85a 100644
--- a/src/tss2-fapi/ifapi_json_serialize.c
+++ b/src/tss2-fapi/ifapi_json_serialize.c
@@ -350,7 +350,7 @@ ifapi_json_FAPI_QUOTE_INFO_serialize(const FAPI_QUOTE_INFO *in,
  * @param[out] jso pointer to the json object.
  * @retval TSS2_RC_SUCCESS if the function call was a success.
  * @retval TSS2_FAPI_RC_MEMORY: if the FAPI cannot allocate enough memory.
- * @retval TSS2_FAPI_RC_BAD_VALUE if the value is not of type TPMS_POLICY_HARNESS.
+ * @retval TSS2_FAPI_RC_BAD_VALUE if the value is not of type IFAPI_DUPLICATE.
  */
 TSS2_RC
 ifapi_json_IFAPI_DUPLICATE_serialize(const IFAPI_DUPLICATE *in,
@@ -391,6 +391,13 @@ ifapi_json_IFAPI_DUPLICATE_serialize(const IFAPI_DUPLICATE *in,
     return_if_error(r, "Serialize TPM2B_PUBLIC");
 
     json_object_object_add(*jso, "public_parent", jso2);
+    if (in->policy) {
+        jso2 = NULL;
+        r = ifapi_json_TPMS_POLICY_HARNESS_serialize(in->policy, &jso2);
+        return_if_error(r, "Serialize policy");
+
+        json_object_object_add(*jso, "policy", jso2);
+    }
 
     return TSS2_RC_SUCCESS;
 }
diff --git a/src/tss2-fapi/ifapi_keystore.h b/src/tss2-fapi/ifapi_keystore.h
index 3d43494e..6fdc4b7d 100644
--- a/src/tss2-fapi/ifapi_keystore.h
+++ b/src/tss2-fapi/ifapi_keystore.h
@@ -80,6 +80,7 @@ typedef struct {
     TPM2B_PUBLIC                                 public; /**< The public information of the key to be duplicated */
     TPM2B_PUBLIC                          public_parent; /**< The public information of the new parent key */
     char                                   *certificate; /**< The certificate of the key to be duplicated */
+    TPMS_POLICY_HARNESS                         *policy; /**< The policy of the key to be duplicated */
 } IFAPI_DUPLICATE;
 
 /** type for representing public info of a TPM-Resource
diff --git a/test/integration/fapi-rsa-duplicate.int.c b/test/integration/fapi-duplicate.int.c
index 107c9662..e8722c76 100644
--- a/test/integration/fapi-rsa-duplicate.int.c
+++ b/test/integration/fapi-duplicate.int.c
@@ -76,21 +76,21 @@ test_fapi_duplicate(FAPI_CONTEXT *context)
     r = Fapi_Import(context, policy_name, json_policy);
     goto_if_error(r, "Error Fapi_List", error);
 
-    r = Fapi_CreateKey(context, "HS/SRK/myRsaCryptKey", "restricted,decrypt,noDa",
+    r = Fapi_CreateKey(context, "HS/SRK/myCryptKey", "restricted,decrypt,noDa",
                        "", NULL);
     goto_if_error(r, "Error Fapi_CreateKey", error);
 
-    r = Fapi_ExportKey(context, "HS/SRK/myRsaCryptKey", NULL, &json_string_pub_key);
+    r = Fapi_ExportKey(context, "HS/SRK/myCryptKey", NULL, &json_string_pub_key);
     goto_if_error(r, "Error Fapi_CreateKey", error);
 
     r = Fapi_Import(context, "ext/myNewParent", json_string_pub_key);
     goto_if_error(r, "Error Fapi_Import", error);
 
-    r = Fapi_CreateKey(context, "HS/SRK/myRsaCryptKey/myRsaCryptKey2",
+    r = Fapi_CreateKey(context, "HS/SRK/myCryptKey/myCryptKey2",
                        "exportable,decrypt,noDa", policy_name, NULL);
     goto_if_error(r, "Error Fapi_CreateKey", error);
 
-    r = Fapi_ExportKey(context, "HS/SRK/myRsaCryptKey/myRsaCryptKey2",
+    r = Fapi_ExportKey(context, "HS/SRK/myCryptKey/myCryptKey2",
                        "ext/myNewParent", &json_duplicate);
     goto_if_error(r, "Error Fapi_CreateKey", error);
 
@@ -101,22 +101,15 @@ test_fapi_duplicate(FAPI_CONTEXT *context)
 
     fprintf(stderr, "Duplicate:\n%s\n", json_duplicate);
 
-#ifdef EK_PERSISTENT
-    Fapi_Delete(context, "P_RSA_EK_persistent");
-#else
-    Fapi_Delete(context, "P_RSA");
-#endif
+    r = Fapi_Delete(context, "/");
+    goto_if_error(r, "Error Fapi_Delete", error);
+
     SAFE_FREE(json_string_pub_key);
     SAFE_FREE(json_duplicate);
     SAFE_FREE(json_policy);
     return EXIT_SUCCESS;
 
 error:
-#ifdef EK_PERSISTENT
-    Fapi_Delete(context, "P_RSA_EK_persistent");
-#else
-    Fapi_Delete(context, "P_RSA");
-#endif
     SAFE_FREE(json_string_pub_key);
     SAFE_FREE(json_duplicate);
     SAFE_FREE(json_policy);