File fix_check_of_qualifying_data.patch of Package tpm2.0-tools

From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Sat, 8 Jan 2022 13:43:00 +0100
Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.

Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
Errors that were not recognized before occur now.
The order of the tests was cleaned up and for every quote and verify quote now
the correct combination of the qualifying data and quote info containing the nonce
is used.

Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
 test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify.sh
+++ b/test/integration/fapi/fapi-quote-verify.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
 NONCE_FILE=$TEMP_DIR/nonce.file
 PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
 QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
 SIGNATURE_FILE=$TEMP_DIR/signature.file
 CERTIFICATE_FILE=$TEMP_DIR/certificate.file
 PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
 
 tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
 
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
 tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
 
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
 echo "tss2 quote with EMPTY_FILE" # Expected to succeed
 tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --quoteInfo=$QUOTE_EMPTY_INFO \
+    --signature=$SIGNATURE_FILE
 
 echo "tss2 quote with BIG_FILE" # Expected to fail
 expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
   exit 1
 fi
 
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
 echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
 expect <<EOF
 spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
 }
 EOF
 
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE
-
 exit 0

diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
 NONCE_FILE=$TEMP_DIR/nonce.file
 PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
 QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
 SIGNATURE_FILE=$TEMP_DIR/signature.file
 CERTIFICATE_FILE=$TEMP_DIR/certificate.file
 PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
 
 tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
 
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
 tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
     --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
     --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
 
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
 echo "tss2 quote with EMPTY_FILE" # Expected to succeed
 tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
     --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
-    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+    --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+    --quoteInfo=$QUOTE_EMPTY_INFO \
+    --signature=$SIGNATURE_FILE
 
 echo "tss2 quote with BIG_FILE" # Expected to fail
 expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
   exit 1
 fi
 
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
 echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
 expect <<EOF
 spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
 }
 EOF
 
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
-    --quoteInfo=$QUOTE_INFO \
-    --signature=$SIGNATURE_FILE
-
 exit 0