Format Error:
Parameter: 0x4
Error: TPM_RC_EXPIRED
Description: the policy has expired
The problem with this is, that the timeout in this case is not relative, but absolute:
So, after 10 seconds the exmple doesn't work anymore.
I tested this with the following code (copied from the examples). If I run this from the Javascript console in the first 10 seconds, it works and stops working afterwords:
// Create primary key endorsement key from the default template.
var ek = app.CreatePrimaryEndorsementKey();
assert(ek.rc == TPM2_RC_SUCCESS, 'CreatePrimary failed');
assert(app.FlushContext(ek.handle) == TPM2_RC_SUCCESS, 'FlushContext failed');
// Build public key object from key material.
var bn_n = new forge.jsbn.BigInteger(ek.rsa_public_n.substr(2), 16);
var bn_e = new forge.jsbn.BigInteger('10001', 16);
ek_pub = new forge.pki.setRsaPublicKey(bn_n, bn_e);
console.log('EK: ', ek_pub);
var sensitive = 'super secret stuff';
carrier = new Module.KeyedHash(sensitive);
console.log('OK');
seed = forge.random.getBytesSync(16)
aes_key = util.KDFa(TPM2_ALG_SHA256, seed, 'STORAGE', carrier.GetEncodedPublicName(), [], 128)
mac_key = util.KDFa(TPM2_ALG_SHA256, seed, 'INTEGRITY', ByteArrayToStdVector([]), [], 256)
console.log('OK');
// Encrypt carrier keyed-hash object.
var cipher = forge.cipher.createCipher('AES-CFB', aes_key)
cipher.start({iv: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]})
cipher.update(ByteArrayToForgeBuffer(StdVectorToByteArray(carrier.GetEncodedPrivate())))
cipher.finish()
enc_private = cipher.output.data
// MAC encrypted blob.
hmac = forge.hmac.create()
hmac.start('sha256', mac_key)
hmac.update(cipher.output.data)
hmac.update(ByteArrayToForgeBuffer(StdVectorToByteArray(carrier.GetEncodedPublicName())).data)
tag = hmac.digest().data
// Encrypt seed by EK's public key.
enc_seed = ek_pub.encrypt(seed, 'RSA-OAEP', {md: forge.md.sha256.create(), label: 'DUPLICATE\x00'})
console.log('Import blob:');
console.log('Encrypted seed: ', forge.util.bytesToHex(enc_seed));
console.log('Encrypted private: ', forge.util.bytesToHex(enc_private))
console.log('Encrypted private mac: ', forge.util.bytesToHex(tag))
console.log('Carrier public: ', forge.util.bytesToHex(ByteArrayToForgeBuffer(StdVectorToByteArray(carrier.GetEncodedPublic())).data))
// Create primary key endorsement key from the default template.
var ek = app.CreatePrimaryEndorsementKey();
assert(ek.rc == TPM2_RC_SUCCESS, 'CreatePrimary failed');
// Authorization w/ EK has to use Policy Secret sessions.
var session = app.StartAuthSession(/*trial=*/false);
assert(session.rc == TPM2_RC_SUCCESS, 'StartAuthSession failed');
// Refresh session.
app.SetSessionHandle(TPM2_RS_PW);
var rc = app.PolicySecret(TPM2_RH_ENDORSEMENT, session.handle);
assert(rc == TPM2_RC_SUCCESS, 'PolicySecret failed');
app.SetSessionHandle(session.handle);
// Import blob.
var import_result = app.Import(ek.handle, carrier.GetEncodedPublic(), tag, enc_private, enc_seed)
assert(import_result.rc == TPM2_RC_SUCCESS, 'Import failed');
console.log('Imported TPM2B_PRIVATE: ', StdVectorToByteArray(import_result.tpm2b_private));
// Refresh session.
app.SetSessionHandle(TPM2_RS_PW);
var rc = app.PolicySecret(TPM2_RH_ENDORSEMENT, session.handle);
assert(rc == TPM2_RC_SUCCESS, 'PolicySecret failed');
app.SetSessionHandle(session.handle);
// Load imported keyed-hash object.
var loaded = app.Load(ek.handle, import_result.tpm2b_private, import_result.tpm2b_public)
assert(loaded.rc == TPM2_RC_SUCCESS, 'Load failed');
// Unseal sensitive data.
app.SetSessionHandle(TPM2_RS_PW);
var unsealed = app.Unseal(loaded.handle);
assert(unsealed.rc == TPM2_RC_SUCCESS, 'Unseal failed');
var unsealed_data = ByteArrayToForgeBuffer(unsealed.sensitive_data).data;
console.log('Unsealed data: ', unsealed_data);
assert(_.isEqual(unsealed_data, 'super secret stuff'), 'Sensitive data does not match');
// Unload session and keys.
assert(app.FlushContext(session.handle) == TPM2_RC_SUCCESS, 'FlushContext failed');
assert(app.FlushContext(ek.handle) == TPM2_RC_SUCCESS, 'FlushContext failed');
assert(app.FlushContext(loaded.handle) == TPM2_RC_SUCCESS, 'FlushContext failed');
console.log('OK');