[tpm2] Re: trying duplication and then rsa_en/decrypt

[ted.h.kim at oracle.com]

[-- Attachment #1: Type: text/plain, Size: 3899 bytes --]

Imran,

I tried this, but I noticed something that I think is odd.

I added the userwithauth:
# tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
      -L policydupselect.dat  \
      -a "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q

but it does not show up in the readpublic (which is below).

Is this a bug?

FWIW, I am on the 4.1.X branch (just before 4.1.2 came out).
Do I need the 4.1.2 changes?

Thanks,
-ted


  # more dupkey.rp-txt
  key: dupkey.ctx
  name: 000b6894c94c68dd0d379b80c6417130e620e9da317b0033b1cddd1ab542c5a592e6
  qualified name: 
000bb9be4705c017f1bf8b238b5f53c87487b4a73c86b8345abfdc671014ab5567ff
  name-alg:
    value: sha256
    raw: 0xb
  attributes:
    value: sensitivedataorigin|decrypt|sign
    raw: 0x60020
  type:
    value: rsa
    raw: 0x1
  exponent: 0x0
  bits: 2048
  scheme:
    value: null
    raw: 0x10
  scheme-halg:
    value: (null)
    raw: 0x0
  sym-alg:
    value: null
    raw: 0x10
  sym-mode:
    value: (null)
    raw: 0x0
  sym-keybits: 0
  rsa: 
cf42bc7b2063618a8e74d9179f263d0b71be412780d09d5f2e876714f5597fe797c97226473
  d2f4b23e3ded77af61c6959ae708e3d59e965f928750a56db367fa6f687ab8a107ac7e89b76fb1aa
  1cb09008e1d239fe874937e292b447970ab464466ab293df3e473c839dbce360efe92c5bb20eac66
  0714e6a7f7f7ce0646eb9a16e2fe80ba148c4bdb591fec14aed763d70f59cfa4d91dbc1515cfe296
  4452a897cea0c958d8da3615003a6b1b08318a6ddf8f9181923ba6eb7fc127a6d9a9148bdd60f3b4
  663ae246f5216f15f3d5a78b6e69b06e9ce5fbd9d62cf461e088a35da3d41930179839e9984e8976
  de8f0a3ecda87812c53771603dca3ffabac01
  authorization policy: 
389e01e8e7605646e8586acc5270ff210125d040d152c348266c99c441
  84f4d2



On 5/20/20 11:03 AM, ted.h.kim(a)oracle.com wrote:
> Hi Imran,
>
> Thanks for your reply.
>
> I had two cases, but for now, let's talk about the one in the 
> tpm2_policyduplicationselect(1) man page. I did the exact steps listed 
> there in the example. Then after the duplication, I did an import and 
> load, as follows:
>
> # tpm2_import -Q -C dst_n.ctx -i new_dupkey.priv -u dupkey.pub \
>     -s dupseed.dat -r imported.priv -L policydupselect.dat
>
> # tpm2_load -Q -C dst_n.ctx -r imported.priv -u dupkey.pub -c 
> imported.ctx
>
> I then tried to do tpm2_rsa_en/decrypt with imported.ctx. The decrypt 
> is where the policy errors came up.
>
>
> But as you point out below the "userwithauth" attribute is not part of 
> the example in that man page. So let me try again with that attribute 
> added. IIRC, the readpublic on the duplicated/imported key did 
> reference a policy, which I could not figure out how to satisfy. Will 
> get back to you shortly after trying again.
>
> Thanks,
> -ted
>
>
> On 5/20/20 10:31 AM, Imran Desai wrote:
>> Hi Ted,
>>
>> Based on what you said you want to accomplish and your 
>> above-mentioned references, I have a hunch that you have the keys set 
>> up incorrectly.
>> Can you please,
>> 1. Try to create a key with "userwithauth" set in the step in your 
>> script that references policy_duplication man page as in here: 
>> "tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u 
>> dupkey.pub \
>> -L policydupselect.dat  -a 
>> "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q"
>> 2. Share your exact steps/ script that you implemented.
>> 3. Share the key properties of the parent and child object you 
>> created. You can use tpm2_readpublic command to dump the key properties.
>>
>> Thanks
>> _______________________________________________
>> tpm2 mailing list -- tpm2(a)lists.01.org
>> To unsubscribe send an email to tpm2-leave(a)lists.01.org
>> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
-- 
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515