diff options
author | Juergen Repp <juergen.repp@sit.fraunhofer.de> | 2020-01-29 13:11:17 +0100 |
---|---|---|
committer | Tadeusz Struk <tadeusz.struk@intel.com> | 2020-01-29 09:36:23 -0800 |
commit | 401e2f276ec24b822eb5a69bb3aab5dfbf29f471 (patch) | |
tree | fbbc970365d8637905121095227f7da034aae6c3 | |
parent | 69d6523137f1c625e0d660bc168c9d94b565a6a3 (diff) | |
download | tpm2-tss-401e2f276ec24b822eb5a69bb3aab5dfbf29f471.tar.gz |
FAPI: Fix exported Key lacks policy field (Addresses #1606)
* The policy was not part of the JSON export data for key duplication.
* The serialization and deserialization of the corresponding FAPI object,
and the export and import functions were adapted.
* The policy now is included in the key store for the imported object.
* The integration test was renamed, because the test is not RSA specific.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
-rw-r--r-- | Makefile-test.am | 12 | ||||
-rw-r--r-- | src/tss2-fapi/api/Fapi_ExportKey.c | 6 | ||||
-rw-r--r-- | src/tss2-fapi/api/Fapi_Import.c | 14 | ||||
-rw-r--r-- | src/tss2-fapi/fapi_int.h | 1 | ||||
-rw-r--r-- | src/tss2-fapi/ifapi_json_deserialize.c | 15 | ||||
-rw-r--r-- | src/tss2-fapi/ifapi_json_serialize.c | 9 | ||||
-rw-r--r-- | src/tss2-fapi/ifapi_keystore.h | 1 | ||||
-rw-r--r-- | test/integration/fapi-duplicate.int.c (renamed from test/integration/fapi-rsa-duplicate.int.c) | 21 |
8 files changed, 56 insertions, 23 deletions
diff --git a/Makefile-test.am b/Makefile-test.am index 67a652bc..cf676220 100644 --- a/Makefile-test.am +++ b/Makefile-test.am @@ -260,7 +260,7 @@ TESTS_CFLAGS += -DTOP_SOURCEDIR"=\"$(top_srcdir)\"" FAPI_TESTS_INTEGRATION = \ test/integration/fapi-data-crypt.int \ test/integration/fapi-data-crypt-rsa.int \ - test/integration/fapi-rsa-duplicate.int \ + test/integration/fapi-duplicate.int \ test/integration/fapi-ext-public-key.int \ test/integration/fapi-get-random.int \ test/integration/fapi-platform-certificates.int \ @@ -1604,11 +1604,11 @@ test_integration_fapi_data_crypt_rsa_int_SOURCES = \ test/integration/fapi-data-crypt.int.c \ test/integration/main-fapi.c test/integration/test-fapi.h -test_integration_fapi_rsa_duplicate_int_CFLAGS = $(TESTS_CFLAGS) -test_integration_fapi_rsa_duplicate_int_LDADD = $(TESTS_LDADD) -test_integration_fapi_rsa_duplicate_int_LDFLAGS = $(TESTS_LDFLAGS) -test_integration_fapi_rsa_duplicate_int_SOURCES = \ - test/integration/fapi-rsa-duplicate.int.c \ +test_integration_fapi_duplicate_int_CFLAGS = $(TESTS_CFLAGS) +test_integration_fapi_duplicate_int_LDADD = $(TESTS_LDADD) +test_integration_fapi_duplicate_int_LDFLAGS = $(TESTS_LDFLAGS) +test_integration_fapi_duplicate_int_SOURCES = \ + test/integration/fapi-duplicate.int.c \ test/integration/main-fapi.c test/integration/test-fapi.h diff --git a/src/tss2-fapi/api/Fapi_ExportKey.c b/src/tss2-fapi/api/Fapi_ExportKey.c index ab7ee186..42347c0b 100644 --- a/src/tss2-fapi/api/Fapi_ExportKey.c +++ b/src/tss2-fapi/api/Fapi_ExportKey.c @@ -340,7 +340,7 @@ Fapi_ExportKey_Finish( context->state = EXPORT_KEY_WAIT_FOR_DUPLICATE; fallthrough; - statecase(context->state, EXPORT_KEY_WAIT_FOR_DUPLICATE); + statecase(context->state, EXPORT_KEY_WAIT_FOR_DUPLICATE); exportTree->objectType = IFAPI_DUPLICATE_OBJ; r = Esys_Duplicate_Finish(context->esys, NULL, &duplicate, &encryptedSeed); try_again_or_error_goto(r, "Duplicate", cleanup); @@ -352,6 +352,10 @@ Fapi_ExportKey_Finish( keyTree->public = command->key_object->misc.key.public; keyTree->public_parent = command->public_parent; + + /* For the policy added no cleanup is needed. The cleanup will + be done with the object cleanup. */ + keyTree->policy = command->key_object->policy_harness; r = ifapi_get_json(context, exportTree, exportedData); goto_if_error2(r, "get JSON for exported data.", cleanup); diff --git a/src/tss2-fapi/api/Fapi_Import.c b/src/tss2-fapi/api/Fapi_Import.c index d14c1cb1..9a405ca5 100644 --- a/src/tss2-fapi/api/Fapi_Import.c +++ b/src/tss2-fapi/api/Fapi_Import.c @@ -204,7 +204,9 @@ Fapi_Import_Async( jso = json_tokener_parse(importData); return_if_null(jso, "Json error.", TSS2_FAPI_RC_BAD_VALUE); - if (ifapi_get_sub_object(jso, IFAPI_JSON_TAG_POLICY, &jso2)) { + if (ifapi_get_sub_object(jso, IFAPI_JSON_TAG_POLICY, &jso2) && + !(ifapi_get_sub_object(jso, IFAPI_JSON_TAG_DUPLICATE, &jso2)) + ) { /* Create policy object */ r = ifapi_json_TPMS_POLICY_HARNESS_deserialize(jso, &policyHarness); goto_if_error(r, "Serialize policy", cleanup_error); @@ -375,6 +377,7 @@ Fapi_Import_Finish( memset(newObject, 0, sizeof(IFAPI_OBJECT)); newObject->objectType = IFAPI_KEY_OBJ; newObject->misc.key.public = keyTree->public; + newObject->policy_harness = keyTree->policy; newObject->misc.key.private.size = command->private->size; newObject->misc.key.private.buffer = &command->private->buffer[0]; newObject->misc.key.policyInstance = NULL; @@ -426,6 +429,13 @@ Fapi_Import_Finish( context->state = _FAPI_STATE_INIT; SAFE_FREE(command->out_path); + + /* Cleanup policy for key objects.*/ + if (newObject->objectType == IFAPI_KEY_OBJ) { + if (newObject->policy_harness) + ifapi_cleanup_policy_harness(newObject->policy_harness); + SAFE_FREE(newObject->policy_harness); + } SAFE_FREE(command->parent_path); ifapi_cleanup_ifapi_object(&command->object); SAFE_FREE(command->private); @@ -437,6 +447,8 @@ Fapi_Import_Finish( return TSS2_RC_SUCCESS; error_cleanup: + if (newObject) + ifapi_cleanup_ifapi_object(newObject); SAFE_FREE(command->out_path); SAFE_FREE(command->parent_path); ifapi_cleanup_ifapi_object(&command->object); diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h index 769d304d..ed4fc160 100644 --- a/src/tss2-fapi/fapi_int.h +++ b/src/tss2-fapi/fapi_int.h @@ -83,6 +83,7 @@ typedef UINT8 IFAPI_SESSION_TYPE; #define IFAPI_JSON_TAG_CERTIFICATE "certificate" #define IFAPI_JSON_TAG_EXT_PUB_KEY "pem_ext_public" #define IFAPI_JSON_TAG_POLICY "policy" +#define IFAPI_JSON_TAG_DUPLICATE "public_parent" #define IFAPI_JSON_TAG_POLICY_HARNESS "policy_harness" diff --git a/src/tss2-fapi/ifapi_json_deserialize.c b/src/tss2-fapi/ifapi_json_deserialize.c index ac6ecde6..9494b612 100644 --- a/src/tss2-fapi/ifapi_json_deserialize.c +++ b/src/tss2-fapi/ifapi_json_deserialize.c @@ -448,7 +448,22 @@ ifapi_json_IFAPI_DUPLICATE_deserialize(json_object *jso, IFAPI_DUPLICATE *out) r = ifapi_json_TPM2B_PUBLIC_deserialize(jso2, &out->public_parent); return_if_error(r, "BAD VALUE"); + if (ifapi_get_sub_object(jso, "policy", &jso2)) { + out->policy = calloc(1, sizeof(TPMS_POLICY_HARNESS)); + goto_if_null2(out->policy, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, + error_cleanup); + + r = ifapi_json_TPMS_POLICY_HARNESS_deserialize(jso2, out->policy); + goto_if_error(r, "Deserialize policy harness.", error_cleanup); + } else { + out->policy = NULL; + } + return TSS2_RC_SUCCESS; + + error_cleanup: + SAFE_FREE(out->policy); + return r; } /** Deserialize a IFAPI_OBJECT_TYPE_CONSTANT json object. diff --git a/src/tss2-fapi/ifapi_json_serialize.c b/src/tss2-fapi/ifapi_json_serialize.c index 71807804..839ae85a 100644 --- a/src/tss2-fapi/ifapi_json_serialize.c +++ b/src/tss2-fapi/ifapi_json_serialize.c @@ -350,7 +350,7 @@ ifapi_json_FAPI_QUOTE_INFO_serialize(const FAPI_QUOTE_INFO *in, * @param[out] jso pointer to the json object. * @retval TSS2_RC_SUCCESS if the function call was a success. * @retval TSS2_FAPI_RC_MEMORY: if the FAPI cannot allocate enough memory. - * @retval TSS2_FAPI_RC_BAD_VALUE if the value is not of type TPMS_POLICY_HARNESS. + * @retval TSS2_FAPI_RC_BAD_VALUE if the value is not of type IFAPI_DUPLICATE. */ TSS2_RC ifapi_json_IFAPI_DUPLICATE_serialize(const IFAPI_DUPLICATE *in, @@ -391,6 +391,13 @@ ifapi_json_IFAPI_DUPLICATE_serialize(const IFAPI_DUPLICATE *in, return_if_error(r, "Serialize TPM2B_PUBLIC"); json_object_object_add(*jso, "public_parent", jso2); + if (in->policy) { + jso2 = NULL; + r = ifapi_json_TPMS_POLICY_HARNESS_serialize(in->policy, &jso2); + return_if_error(r, "Serialize policy"); + + json_object_object_add(*jso, "policy", jso2); + } return TSS2_RC_SUCCESS; } diff --git a/src/tss2-fapi/ifapi_keystore.h b/src/tss2-fapi/ifapi_keystore.h index 3d43494e..6fdc4b7d 100644 --- a/src/tss2-fapi/ifapi_keystore.h +++ b/src/tss2-fapi/ifapi_keystore.h @@ -80,6 +80,7 @@ typedef struct { TPM2B_PUBLIC public; /**< The public information of the key to be duplicated */ TPM2B_PUBLIC public_parent; /**< The public information of the new parent key */ char *certificate; /**< The certificate of the key to be duplicated */ + TPMS_POLICY_HARNESS *policy; /**< The policy of the key to be duplicated */ } IFAPI_DUPLICATE; /** type for representing public info of a TPM-Resource diff --git a/test/integration/fapi-rsa-duplicate.int.c b/test/integration/fapi-duplicate.int.c index 107c9662..e8722c76 100644 --- a/test/integration/fapi-rsa-duplicate.int.c +++ b/test/integration/fapi-duplicate.int.c @@ -76,21 +76,21 @@ test_fapi_duplicate(FAPI_CONTEXT *context) r = Fapi_Import(context, policy_name, json_policy); goto_if_error(r, "Error Fapi_List", error); - r = Fapi_CreateKey(context, "HS/SRK/myRsaCryptKey", "restricted,decrypt,noDa", + r = Fapi_CreateKey(context, "HS/SRK/myCryptKey", "restricted,decrypt,noDa", "", NULL); goto_if_error(r, "Error Fapi_CreateKey", error); - r = Fapi_ExportKey(context, "HS/SRK/myRsaCryptKey", NULL, &json_string_pub_key); + r = Fapi_ExportKey(context, "HS/SRK/myCryptKey", NULL, &json_string_pub_key); goto_if_error(r, "Error Fapi_CreateKey", error); r = Fapi_Import(context, "ext/myNewParent", json_string_pub_key); goto_if_error(r, "Error Fapi_Import", error); - r = Fapi_CreateKey(context, "HS/SRK/myRsaCryptKey/myRsaCryptKey2", + r = Fapi_CreateKey(context, "HS/SRK/myCryptKey/myCryptKey2", "exportable,decrypt,noDa", policy_name, NULL); goto_if_error(r, "Error Fapi_CreateKey", error); - r = Fapi_ExportKey(context, "HS/SRK/myRsaCryptKey/myRsaCryptKey2", + r = Fapi_ExportKey(context, "HS/SRK/myCryptKey/myCryptKey2", "ext/myNewParent", &json_duplicate); goto_if_error(r, "Error Fapi_CreateKey", error); @@ -101,22 +101,15 @@ test_fapi_duplicate(FAPI_CONTEXT *context) fprintf(stderr, "Duplicate:\n%s\n", json_duplicate); -#ifdef EK_PERSISTENT - Fapi_Delete(context, "P_RSA_EK_persistent"); -#else - Fapi_Delete(context, "P_RSA"); -#endif + r = Fapi_Delete(context, "/"); + goto_if_error(r, "Error Fapi_Delete", error); + SAFE_FREE(json_string_pub_key); SAFE_FREE(json_duplicate); SAFE_FREE(json_policy); return EXIT_SUCCESS; error: -#ifdef EK_PERSISTENT - Fapi_Delete(context, "P_RSA_EK_persistent"); -#else - Fapi_Delete(context, "P_RSA"); -#endif SAFE_FREE(json_string_pub_key); SAFE_FREE(json_duplicate); SAFE_FREE(json_policy); |