F-2978 - https://fenrir.wolfssl.com/finding/2978 - Add userWithAuth to KeySeal template default attributes

Author: aidangarske

examples/boot/secret_seal.c

@@ -268,6 +268,8 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
 
     /* Create a new key for sealing using signing auth for external key */
     wolfTPM2_GetKeyTemplate_KeySeal(&sealTemplate, pcrAlg);
+    /* Clear userWithAuth - policy-only access */
+    sealTemplate.objectAttributes &= ~TPMA_OBJECT_userWithAuth;
     sealTemplate.authPolicy.size = policyDigestSz;
     XMEMCPY(sealTemplate.authPolicy.buffer, policyDigest, policyDigestSz);
     rc = wolfTPM2_CreateKeySeal_ex(&dev, &sealBlob, &storage.handle,

examples/seal/seal_pcr.c

@@ -216,7 +216,8 @@ int TPM2_Seal_PCR_Example(void* userCtx, int argc, char *argv[])
 
         /* Step 2: Create seal template with PCR policy */
         wolfTPM2_GetKeyTemplate_KeySeal(&sealTemplate, pcrAlg);
-        /* Do NOT set TPMA_OBJECT_userWithAuth - policy-only access */
+        /* Clear userWithAuth - policy-only access */
+        sealTemplate.objectAttributes &= ~TPMA_OBJECT_userWithAuth;
         sealTemplate.authPolicy.size = policyDigestSz;
         XMEMCPY(sealTemplate.authPolicy.buffer, policyDigest, policyDigestSz);
 

examples/seal/seal_policy_auth.c

@@ -265,7 +265,8 @@ int TPM2_Seal_PolicyAuth_Example(void* userCtx, int argc, char *argv[])
 
         /* Step 3: Create seal template with PolicyAuthorize digest */
         wolfTPM2_GetKeyTemplate_KeySeal(&sealTemplate, pcrAlg);
-        /* Do NOT set TPMA_OBJECT_userWithAuth - policy-only access */
+        /* Clear userWithAuth - policy-only access */
+        sealTemplate.objectAttributes &= ~TPMA_OBJECT_userWithAuth;
         sealTemplate.authPolicy.size = policyDigestSz;
         XMEMCPY(sealTemplate.authPolicy.buffer, policyDigest, policyDigestSz);
 

src/tpm2_wrap.c

@@ -7275,7 +7275,7 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name
     publicTemplate->nameAlg = nameAlg;
     publicTemplate->objectAttributes = (
         TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
-        TPMA_OBJECT_noDA);
+        TPMA_OBJECT_userWithAuth | TPMA_OBJECT_noDA);
     publicTemplate->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL;
     return TPM_RC_SUCCESS;
 }

tests/unit_tests.c

@@ -1096,6 +1096,20 @@ static void test_TPM2_SchemeSerialize(void)
     printf("Test TPM Wrapper:\tSchemeSerialize:\t\tPassed\n");
 }
 
+static void test_KeySealTemplate(void)
+{
+    int rc;
+    TPMT_PUBLIC tmpl;
+
+    rc = wolfTPM2_GetKeyTemplate_KeySeal(&tmpl, TPM_ALG_SHA256);
+    AssertIntEQ(rc, TPM_RC_SUCCESS);
+
+    /* Template must include userWithAuth so password-based unseal works */
+    AssertIntNE(tmpl.objectAttributes & TPMA_OBJECT_userWithAuth, 0);
+
+    printf("Test TPM Wrapper:\tKeySealTemplate:\t\tPassed\n");
+}
+
 static void test_GetAlgId(void)
 {
     TPM_ALG_ID alg = TPM2_GetAlgId("SHA256");
@@ -1843,6 +1857,7 @@ int unit_tests(int argc, char *argv[])
     test_wolfTPM2_ComputeName();
     #endif
     test_TPM2_SchemeSerialize();
+    test_KeySealTemplate();
     test_GetAlgId();
     test_wolfTPM2_ReadPublicKey();
     test_wolfTPM2_CSR();