I wrote a test case that exactly reproduces Ceri's problem. Please see attached.
----- Original Message -----
> From: "Ken Goldman" <[email protected]>
> To: [email protected]
> Sent: Thursday, May 1, 2014 10:30:09 AM
> Subject: Re: [TrouSerS-users] Multiple context across multiple applications
> issue
>
> Ceri is claiming that he's having problems loading a key.
>
> Your problem is quite different - Error 24. From the trace:
>
> TPM_Process_UnBind: Error, invalid keyUsage 0011
> TPM_Process_UnBind: Ordinal returnCode 00000024 36
>
> You can't unbind with a storage key. You need a bind key.
>
> ~~
>
> The code flow that I see is
>
> Load Key - fails, bad auth
> Load Key - loads a storage key under the SRK
> Create Key - creates a bind key under that storage key
> Load Key - loads the bind key
> Unbind - uses the bind key, success
> Load Key - fails, bad auth
> Load Key - loads a storage key under the SRK
> Unbind - uses the storage key, fails
>
> ~~
>
> It's easy to see that, the second time, you load the storage key but
> you
> never load the bind key under it. They you try to unbind with the
> storage key and it fails.
>
> I don't think this is a TPM or TSS bug. You have to load the bind
> key
> the second time.
>
> On 4/30/2014 10:19 PM, Dmitri Toubelis wrote:
> > I think I'm hitting the same or a very similar issue as Ceri. I
> > create context -> create a new key -> encrypt something with the
> > key
> > -> decrypt it -> close context. Everything works fine. Then I
> > create
> > a new context -> load the same key by UUID -> try to decrypt the
> > same
> > blob -> get error 0x24. I'm attaching tpm log for this. I'm using
> > trousers from git master.
> >
> > ----- Original Message -----
> >> From: "Ken Goldman" <[email protected]> To:
> >> [email protected] Sent: Wednesday, April 30,
> >> 2014 1:13:04 PM Subject: Re: [TrouSerS-users] Multiple context
> >> across multiple applications issue
> >>
> >> On 4/30/2014 10:41 AM, Ceri Coburn wrote:
> >>> In my case I have one process that had loaded a key that was
> >>> stored as a UUID in system.data and then the second process fails
> >>> to load the same key, looking at the emulator output, the error
> >>> is indeed thrown from inside the TPM (emulated), but I also see
> >>> the same behaviour on an Intel NUC with a real TPM.
> >>
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For
> FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform
> available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
#include <tss/tspi.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
TSS_UUID srk_uuid = TSS_UUID_SRK;
TSS_UUID test_key_uuid = {0x2ba6a308, 0xa562, 0x4ec0, 0x91, 0x94, {0x6e, 0x1b, 0x72, 0x15, 0x02, 0xb4}};
unsigned char bytes[] = {0xd5, 0xa7, 0x98, 0xb8, 0x82, 0x67, 0x48, 0x40, 0x8e, 0x44, 0x1d, 0x62, 0x01, 0xc2, 0x6f, 0x79};
int main (int argc, char **argv)
{
TSS_HCONTEXT hContext1 = 0;
TSS_HCONTEXT hContext2 = 0;
TSS_HPOLICY hDefaultPolicy;
TSS_HKEY hSrk1 = 0;
TSS_HKEY hSrk2 = 0;
TSS_HKEY hTestKey1 = 0;
TSS_HKEY hTestKey2 = 0;
TSS_HENCDATA hEncData1 = 0;
TSS_HENCDATA hEncData2 = 0;
TSS_HENCDATA hEncData3 = 0;
BYTE *data1 = NULL;
BYTE *data2 = NULL;
BYTE *data3 = NULL;
UINT32 data_len;
void *enc_data = NULL;
size_t enc_data_size;
BYTE well_known_secret[] = TSS_WELL_KNOWN_SECRET;
TSS_RESULT res;
int ret = -1;
/* create context 1 */
res = Tspi_Context_Create (&hContext1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 1. Tspi_Context_Create() failed (code=0x%x).\n", res);
goto done;
}
/* connect context */
res = Tspi_Context_Connect (hContext1, 0);
if (res != TSS_SUCCESS) {
printf ("ERROR: 2. Tspi_Context_Connect() failed (code=0x%x).\n", res);
goto done;
}
/* set default authentication policy */
res = Tspi_Context_GetDefaultPolicy (hContext1, &hDefaultPolicy);
if (res != TSS_SUCCESS) {
printf ("ERROR: 3. Tspi_Context_GetDefaultPolicy() failed (code=0x%x).\n", res);
goto done;
}
/* set default policy secret */
res = Tspi_Policy_SetSecret (hDefaultPolicy, TSS_SECRET_MODE_SHA1, sizeof (well_known_secret), (BYTE *) well_known_secret);
if (res != TSS_SUCCESS) {
printf ("ERROR: 4. Tspi_Policy_SetSecret() failed (code=0x%x).\n", res);
goto done;
}
/* load srk */
res = Tspi_Context_LoadKeyByUUID (hContext1, TSS_PS_TYPE_SYSTEM, srk_uuid, &hSrk1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 5. Tspi_Context_LoadKeyByUUID() failed (code=0x%x).\n", res);
goto done;
}
/* load test key */
res = Tspi_Context_LoadKeyByUUID (hContext1, TSS_PS_TYPE_SYSTEM, test_key_uuid, &hTestKey1);
if (res != TSS_SUCCESS) {
TSS_FLAG key_flags =
TSS_KEY_TYPE_BIND |
TSS_KEY_SIZE_2048 |
TSS_KEY_VOLATILE |
TSS_KEY_AUTHORIZATION |
TSS_KEY_NOT_MIGRATABLE;
/* create key object */
res = Tspi_Context_CreateObject (hContext1, TSS_OBJECT_TYPE_RSAKEY, key_flags, &hTestKey1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 6. Tspi_Context_CreateObject() failed (code=0x%x).\n", res);
goto done;
}
/* create key */
res = Tspi_Key_CreateKey (hTestKey1, hSrk1, 0);
if (res != TSS_SUCCESS) {
printf ("ERROR: 7. Tspi_Key_CreateKey() failed (code=0x%x).\n", res);
goto done;
}
/* register key in persistent storage under SRK */
res = Tspi_Context_RegisterKey (hContext1, hTestKey1, TSS_PS_TYPE_SYSTEM, test_key_uuid, TSS_PS_TYPE_SYSTEM, srk_uuid);
if (res != TSS_SUCCESS) {
printf ("ERROR: 8. Tspi_Context_RegisterKey() failed (code=0x%x).\n", res);
goto done;
}
/* load key */
res = Tspi_Key_LoadKey (hTestKey1, hSrk1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 9. Tspi_Key_LoadKey() failed (code=0x%x).\n", res);
goto done;
}
}
/* create encrypted data blob */
res = Tspi_Context_CreateObject (hContext1, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_BIND, &hEncData1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 10. Tspi_Context_CreateObject() failed (code=0x%x).\n", res);
goto done;
}
/* encrypt */
res = Tspi_Data_Bind (hEncData1, hTestKey1, sizeof (bytes), bytes);
if (res != TSS_SUCCESS) {
printf ("ERROR: 11. Tspi_Data_Bind() failed (code=0x%x).\n", res);
goto done;
}
/* set encrypted data blob */
res = Tspi_GetAttribData (hEncData1, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, &data_len, &data1);
if (res != TSS_SUCCESS) {
printf ("ERROR: 12. Tspi_GetAttribData() failed (code=0x%x).\n", res);
goto done;
}
/* store encrypted blob */
enc_data_size = data_len;
enc_data = malloc (enc_data_size);
memcpy (enc_data, data1, enc_data_size);
/***** fist Unbind *****/
/* create encrypted data blob */
res = Tspi_Context_CreateObject (hContext1, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_LEGACY, &hEncData2);
if (res != TSS_SUCCESS) {
printf ("ERROR: 13. Tspi_Context_CreateObject() failed (code=0x%x).\n", res);
goto done;
}
/* set encrypted data blob */
res = Tspi_SetAttribData (hEncData2, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, (UINT32) enc_data_size, (BYTE *) enc_data);
if (res != TSS_SUCCESS) {
printf ("ERROR: 14. Tspi_SetAttribData() failed (code=0x%x).\n", res);
goto done;
}
/* unbind data */
res = Tspi_Data_Unbind (hEncData2, hTestKey1, &data_len, &data2);
if (res != TSS_SUCCESS) {
printf ("ERROR: 15. Tspi_Data_Unbind() failed (code=0x%x).\n", res);
goto done;
}
/***** context 2 *****/
/* create context 2 */
res = Tspi_Context_Create (&hContext2);
if (res != TSS_SUCCESS) {
printf ("ERROR: 16. Tspi_Context_Create() failed (code=0x%x).\n", res);
goto done;
}
/* connect context */
res = Tspi_Context_Connect (hContext2, 0);
if (res != TSS_SUCCESS) {
printf ("ERROR: 17. Tspi_Context_Connect() failed (code=0x%x).\n", res);
goto done;
}
/* set default authentication policy */
res = Tspi_Context_GetDefaultPolicy (hContext2, &hDefaultPolicy);
if (res != TSS_SUCCESS) {
printf ("ERROR: 18. Tspi_Context_GetDefaultPolicy() failed (code=0x%x).\n", res);
goto done;
}
/* set default policy secret */
res = Tspi_Policy_SetSecret (hDefaultPolicy, TSS_SECRET_MODE_SHA1, sizeof (well_known_secret), (BYTE *) well_known_secret);
if (res != TSS_SUCCESS) {
printf ("ERROR: 19. Tspi_Policy_SetSecret() failed (code=0x%x).\n", res);
goto done;
}
/* load srk */
res = Tspi_Context_LoadKeyByUUID (hContext2, TSS_PS_TYPE_SYSTEM, srk_uuid, &hSrk2);
if (res != TSS_SUCCESS) {
printf ("ERROR: 20. Tspi_Context_LoadKeyByUUID() failed (code=0x%x).\n", res);
goto done;
}
/* load test key again */
res = Tspi_Context_LoadKeyByUUID (hContext2, TSS_PS_TYPE_SYSTEM, test_key_uuid, &hTestKey2);
if (res != TSS_SUCCESS) {
printf ("ERROR: 21. Tspi_Context_LoadKeyByUUID() failed (code=0x%x).\n", res);
goto done;
}
/***** second Unbind *****/
/* create encrypted data blob */
res = Tspi_Context_CreateObject (hContext2, TSS_OBJECT_TYPE_ENCDATA, TSS_ENCDATA_LEGACY, &hEncData3);
if (res != TSS_SUCCESS) {
printf ("ERROR: 22. Tspi_Context_CreateObject() failed (code=0x%x).\n", res);
goto done;
}
/* set encrypted data blob */
res = Tspi_SetAttribData (hEncData3, TSS_TSPATTRIB_ENCDATA_BLOB, TSS_TSPATTRIB_ENCDATABLOB_BLOB, (UINT32) enc_data_size, (BYTE *) enc_data);
if (res != TSS_SUCCESS) {
printf ("ERROR: 23. Tspi_SetAttribData() failed (code=0x%x).\n", res);
goto done;
}
/* unbind data */
res = Tspi_Data_Unbind (hEncData3, hTestKey2, &data_len, &data3);
if (res != TSS_SUCCESS) {
printf ("ERROR: 24. Tspi_Data_Unbind() failed (code=0x%x).\n", res);
goto done;
}
/* close context 2 */
Tspi_Context_Close (hContext2);
/* close context 1 */
Tspi_Context_Close (hContext1);
ret = 0;
done:
return ret;
}
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
