utils

tpm2_pytss.utils.make_credential(public, credential, name)[source]

Encrypts credential for use with activate_credential

Parameters

  • public (TPMT_PUBLIC) – The public area of the activation key

  • credential (bytes) – The credential to be encrypted

  • name (bytes) – The name of the key associated with the credential

Returns

A tuple of (TPM2B_ID_OBJECT, TPM2B_ENCRYPTED_SECRET)

Raises

ValueError – If the public key type is not supported

tpm2_pytss.utils.unwrap(newparentpub, newparentpriv, public, duplicate, outsymseed, symkey=None, symdef=None)[source]

unwraps a key under a TPM key hierarchy. In essence, export key from TPM.

This is the inverse function to the wrap() routine. This is usually performed by the TPM when importing objects, however, if an object is duplicated under a new parent where one has both the public and private keys, the object can be unwrapped.

Parameters

  • newparentpub (TPMT_PUBLIC) – The public area of the parent the key was duplicated/wrapped under.

  • newparentpriv (TPMT_SENSITIVE) – The private key of the parent the key was duplicated/wrapped under.

  • public (TPM2B_PUBLIC) – The public area of the key to be unwrapped.

  • duplicate (TPM2B_PRIVATE) – The private or wrapped key to be unwrapped.

  • outsymseed (TPM2B_ENCRYPTED_SECRET) – The output symmetric seed from a wrap or duplicate call.

  • symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None

  • symdef. (and symdef is defined a key will be generated based on the key size for) –

  • symdef (TPMT_SYMDEF_OBJECT) – Symmetric algorithm to be used for inner encryption, defaults to None.

  • performed (If None no inner wrapping is) –

  • what (else this should be set to aes128CFB since that is) –

  • aes128cfb (the TPM supports. To set to) –

  • do

  • TPMT_SYM_DEF( – algorithm=TPM2_ALG.AES, keyBits=TPMU_SYM_KEY_BITS(sym=128), mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB),

  • )

Returns

A TPM2B_SENSITIVE which contains the raw key material.

Raises

ValueError – If the public key type or symmetric algorithm are not supported

tpm2_pytss.utils.wrap(newparent, public, sensitive, symkey=None, symdef=None)[source]

Wraps key under a TPM key hierarchy

A key is wrapped following the Duplication protections of the TPM Architecture specification. The architecture specification is found in “Part 1: Architecture” at the following link: - https://trustedcomputinggroup.org/resource/tpm-library-specification/

At the time of this writing, spec 1.59 was most recent and it was under section 23.3, titled “Duplication”.

Parameters

  • newparent (TPMT_PUBLIC) – The public area of the parent

  • public (TPM2B_PUBLIC) – The public area of the key

  • sensitive (TPM2B_SENSITIVE) – The sensitive area of the key

  • symkey (bytes or None) – Symmetric key for inner encryption. Defaults to None. When None

  • symdef. (and symdef is defined a key will be generated based on the key size for) –

  • symdef (TPMT_SYMDEF_OBJECT) – Symmetric algorithm to be used for inner encryption, defaults to None.

  • performed (If None no inner wrapping is) –

  • what (else this should be set to aes128CFB since that is) –

  • aes128cfb (the TPM supports. To set to) –

  • do

  • TPMT_SYM_DEF( – algorithm=TPM2_ALG.AES, keyBits=TPMU_SYM_KEY_BITS(sym=128), mode=TPMU_SYM_MODE(sym=TPM2_ALG.CFB),

  • )

Returns

A tuple of (TPM2B_DATA, TPM2B_PRIVATE, TPM2B_ENCRYPTED_SECRET) which is the encryption key, the the wrapped duplicate and the encrypted seed.

Raises

ValueError – If the public key type or symmetric algorithm are not supported