diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..5f197e12 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# Security policy + +Security is of paramount importance to the tss-esapi project. We do all we can to identify and fix +issues, however some problems might slip through the cracks. Any efforts towards responsible +disclosure of security problems are greatly appreciated and your contributions will be acknowledged. + +## Our disclosure policy + +All security vulnerabilities affecting the tss-esapi project - including those reported using the +steps highlighted below, those discovered during routine testing, and those found in our dependency +tree either through `cargo-audit` or otherwise - will receive +[security advisories](https://github.com/parallaxsecond/rust-tss-esapi/security) in a timely +manner. The advisories should include sufficient information about the cause, effect, and possible +mitigations for the vulnerability. If any information is missing, or you would like to raise a +question about the advisories, please open an issue in +[our repo](https://github.com/parallaxsecond/rust-tss-esapi). + +Efforts to mitigate for the reported vulnerabilities will be tracked using GitHub issues linked to +the corresponding advisories. + +## Reporting a vulnerability + +To report a vulnerability, please send an email to +[cncf-parsec-maintainers@lists.cncf.io](mailto:cncf-parsec-maintainers@lists.cncf.io). We will +promptly reply to your report and we will strive to keep you in the loop as we try to reach a +resolution. + +# Security considerations for the use of the software + +The authvalue provided to the TPM to perform certain operations like creating Primary Keys is +currently randomly generated by [getrandom](https://crates.io/crates/getrandom), which assumes +"that the system always provides high-quality cryptographically secure random data, ideally backed +by hardware entropy sources." + +The user of this software should take this into consideration when setting up their system and using +this software. diff --git a/tss-esapi/Cargo.toml b/tss-esapi/Cargo.toml index 6c230e55..bcab43de 100644 --- a/tss-esapi/Cargo.toml +++ b/tss-esapi/Cargo.toml @@ -34,6 +34,7 @@ cfg-if = "1.0.0" strum = { version = "0.25.0", optional = true } strum_macros = { version = "0.25.0", optional = true } paste = "1.0.14" +getrandom = "0.2.11" [dev-dependencies] env_logger = "0.9.0" diff --git a/tss-esapi/src/abstraction/transient/mod.rs b/tss-esapi/src/abstraction/transient/mod.rs index a0d29d0c..46582727 100644 --- a/tss-esapi/src/abstraction/transient/mod.rs +++ b/tss-esapi/src/abstraction/transient/mod.rs @@ -137,6 +137,7 @@ impl TransientKeyContext { /// /// # Errors /// * if the authentication size is larger than 32 a `WrongParamSize` wrapper error is returned + /// * if there is an error when obtaining random numbers from the local machine pub fn create_key( &mut self, key_params: KeyParams, @@ -147,8 +148,12 @@ impl TransientKeyContext { } let key_auth = if auth_size > 0 { self.set_session_attrs()?; - let random_bytes = self.context.get_random(auth_size)?; - Some(Auth::from_bytes(random_bytes.as_bytes())?) + let mut random_bytes = vec![0u8; auth_size]; + getrandom::getrandom(&mut random_bytes).map_err(|_| { + log::error!("Failed to obtain a random authvalue for key creation"); + Error::WrapperError(ErrorKind::InternalError) + })?; + Some(Auth::from_bytes(random_bytes.as_slice())?) } else { None }; @@ -636,7 +641,7 @@ impl TransientKeyContextBuilder { /// Bootstrap the TransientKeyContext. /// /// The root key is created as a primary key in the provided hierarchy and thus authentication is - /// needed for said hierarchy. The authentication value for the key is generated by the TPM itself, + /// needed for said hierarchy. The authentication value for the key is generated locally in the machine, /// with a configurable length, and never exposed outside the context. /// /// # Warning @@ -649,9 +654,9 @@ impl TransientKeyContextBuilder { /// * `root_key_auth_size` must be at most 32 /// /// # Errors - /// * errors are returned if any method calls return an error: `Context::get_random`, - /// `Context::start_auth_session`, `Context::create_primary`, `Context::flush_context`, - /// `Context::set_handle_auth` + /// * errors are returned if any method calls return an error: `Context::start_auth_session` + /// `Context::create_primary`, `Context::flush_context`, `Context::set_handle_auth` + /// or if an internal error occurs when getting random numbers from the local machine /// * if the root key authentication size is given greater than 32 or if the root key size is /// not 1024, 2048, 3072 or 4096, a `InvalidParam` wrapper error is returned pub fn build(mut self) -> Result { @@ -664,8 +669,12 @@ impl TransientKeyContextBuilder { let mut context = Context::new(self.tcti_name_conf)?; let root_key_auth = if self.root_key_auth_size > 0 { - let random = context.get_random(self.root_key_auth_size)?; - Some(Auth::from_bytes(random.as_bytes())?) + let mut random = vec![0u8; self.root_key_auth_size]; + getrandom::getrandom(&mut random).map_err(|_| { + log::error!("Failed to obtain a random value for root key authentication"); + Error::WrapperError(ErrorKind::InternalError) + })?; + Some(Auth::from_bytes(random.as_slice())?) } else { None }; diff --git a/tss-esapi/src/context/tpm_commands/asymmetric_primitives.rs b/tss-esapi/src/context/tpm_commands/asymmetric_primitives.rs index 84d34c3d..77b8e281 100644 --- a/tss-esapi/src/context/tpm_commands/asymmetric_primitives.rs +++ b/tss-esapi/src/context/tpm_commands/asymmetric_primitives.rs @@ -127,8 +127,9 @@ impl Context { /// # context.tr_sess_set_attributes(session, session_attributes, session_attributes_mask) /// # .expect("Failed to set attributes on session"); /// # context.set_sessions((Some(session), None, None)); - /// # let random_digest = context.get_random(16).unwrap(); - /// # let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + /// # let mut random_digest = vec![0u8; 16]; + /// # getrandom::getrandom(&mut random_digest).unwrap(); + /// # let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); /// # /// // Create a key suitable for ECDH key generation /// let ecc_parms = PublicEccParametersBuilder::new() @@ -262,8 +263,9 @@ impl Context { /// # context.tr_sess_set_attributes(session, session_attributes, session_attributes_mask) /// # .expect("Failed to set attributes on session"); /// # context.set_sessions((Some(session), None, None)); - /// # let random_digest = context.get_random(16).unwrap(); - /// # let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + /// # let mut random_digest = vec![0u8; 16]; + /// # getrandom::getrandom(&mut random_digest).unwrap(); + /// # let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); /// # /// // Create a key suitable for ECDH key generation /// let ecc_parms = PublicEccParametersBuilder::new() diff --git a/tss-esapi/src/context/tpm_commands/context_management.rs b/tss-esapi/src/context/tpm_commands/context_management.rs index 71ac0856..af865c90 100644 --- a/tss-esapi/src/context/tpm_commands/context_management.rs +++ b/tss-esapi/src/context/tpm_commands/context_management.rs @@ -112,10 +112,9 @@ impl Context { /// /// // Execute context methods using the session /// context.execute_with_session(Some(session), |ctx| { - /// let random_digest = ctx.get_random(16) - /// .expect("Call to get_random failed"); - /// let key_auth = Auth::from_bytes(random_digest.as_bytes()) - /// .expect("Failed to create Auth"); + /// let mut random_digest = vec![0u8; 16]; + /// getrandom::getrandom(&mut random_digest).expect("Call to getrandom failed"); + /// let key_auth = Auth::from_bytes(random_digest.as_slice()).expect("Failed to create Auth"); /// let key_handle = ctx /// .create_primary( /// Hierarchy::Owner, diff --git a/tss-esapi/src/context/tpm_commands/symmetric_primitives.rs b/tss-esapi/src/context/tpm_commands/symmetric_primitives.rs index 31433e21..a45c1d5a 100644 --- a/tss-esapi/src/context/tpm_commands/symmetric_primitives.rs +++ b/tss-esapi/src/context/tpm_commands/symmetric_primitives.rs @@ -56,12 +56,11 @@ impl Context { /// # .tr_set_auth(tss_esapi::interface_types::reserved_handles::Hierarchy::Owner.into(), Auth::default()) /// # .expect("Failed to set auth to empty for owner"); /// # // Create primary key auth - /// # let primary_key_auth = Auth::try_from( - /// # context - /// # .get_random(16) - /// # .expect("get_rand call failed") - /// # .as_bytes() - /// # .to_vec(), + /// # let mut random_digest = vec![0u8; 16]; + /// # getrandom::getrandom(&mut random_digest).expect("get_rand call failed"); + /// # let primary_key_auth = Auth::from_bytes( + /// # random_digest + /// # .as_slice() /// # ) /// # .expect("Failed to create primary key auth"); /// # // Create primary key @@ -103,12 +102,11 @@ impl Context { /// # .build() /// # .expect("Failed to create public for symmetric key public"); /// # // Create auth for the symmetric key - /// # let symmetric_key_auth = Auth::try_from( - /// # context - /// # .get_random(16) - /// # .expect("get_rand call failed") - /// # .as_bytes() - /// # .to_vec(), + /// # let mut random_digest = vec![0u8; 16]; + /// # getrandom::getrandom(&mut random_digest).expect("get_rand call failed"); + /// # let symmetric_key_auth = Auth::from_bytes( + /// # random_digest + /// # .as_slice() /// # ) /// # .expect("Failed to create symmetric key auth"); /// # // Create symmetric key data diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs index 1c433d6d..63487600 100644 --- a/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs +++ b/tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs @@ -502,8 +502,9 @@ fn ctx_migration_test() { // Create two key contexts using `Context`, one for an RSA keypair, // one for just the public part of the key let mut basic_ctx = crate::common::create_ctx_with_session(); - let random_digest = basic_ctx.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let prim_key_handle = basic_ctx .create_primary( Hierarchy::Owner, diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/asymmetric_primitives_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/asymmetric_primitives_tests.rs index 06052e4c..c42f60e6 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/asymmetric_primitives_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/asymmetric_primitives_tests.rs @@ -19,8 +19,9 @@ mod test_rsa_encrypt_decrypt { #[test] fn test_encrypt_decrypt() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -59,8 +60,9 @@ mod test_rsa_encrypt_decrypt { #[test] fn test_ecdh() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let ecc_parms = PublicEccParametersBuilder::new() .with_ecc_scheme(EccScheme::EcDh(HashScheme::new(HashingAlgorithm::Sha256))) diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/context_management_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/context_management_tests.rs index feaf915b..b2a3adca 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/context_management_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/context_management_tests.rs @@ -7,8 +7,9 @@ mod test_ctx_save { #[test] fn test_ctx_save() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -27,8 +28,9 @@ mod test_ctx_save { #[test] fn test_ctx_save_leaf() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let prim_key_handle = context .create_primary( @@ -70,13 +72,14 @@ mod test_ctx_load { #[test] fn test_ctx_load() { let mut context = create_ctx_with_session(); - let key_auth = context.get_random(16).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); let prim_key_handle = context .create_primary( Hierarchy::Owner, decryption_key_pub(), - Some(Auth::from_bytes(key_auth.as_bytes()).unwrap()), + Some(Auth::from_bytes(random_digest.as_slice()).unwrap()), None, None, None, @@ -88,7 +91,7 @@ mod test_ctx_load { .create( prim_key_handle, signing_key_pub(), - Some(Auth::from_bytes(key_auth.as_bytes()).unwrap()), + Some(Auth::from_bytes(random_digest.as_slice()).unwrap()), None, None, None, @@ -112,8 +115,9 @@ mod test_flush_context { #[test] fn test_flush_ctx() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -133,8 +137,9 @@ mod test_flush_context { #[test] fn test_flush_parent_ctx() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let prim_key_handle = context .create_primary( diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs index 922796e5..840d0945 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs @@ -536,8 +536,9 @@ mod test_policy_authorize { #[test] fn test_policy_authorize() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/hierarchy_commands_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/hierarchy_commands_tests.rs index 5fa4c0c8..4fc73dea 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/hierarchy_commands_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/hierarchy_commands_tests.rs @@ -9,8 +9,9 @@ mod test_create_primary { #[test] fn test_create_primary() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -93,8 +94,9 @@ mod test_change_auth { ) .unwrap(); - let random_digest = context.get_random(16).unwrap(); - let new_key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let new_key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let new_private = context .object_change_auth(loaded_key.into(), prim_key_handle.into(), new_key_auth) @@ -108,8 +110,9 @@ mod test_change_auth { fn test_hierarchy_change_auth() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let new_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let new_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); // NOTE: If this test failed on your system, you are probably running it against a // real (hardware) TPM or one that is provisioned. This hierarchy is supposed to be diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs index 1001cba2..a6b037ed 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/object_commands_tests.rs @@ -2,14 +2,14 @@ // SPDX-License-Identifier: Apache-2.0 mod test_create { use crate::common::{create_ctx_with_session, decryption_key_pub}; - use std::convert::TryFrom; use tss_esapi::{interface_types::reserved_handles::Hierarchy, structures::Auth}; #[test] fn test_create() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let prim_key_handle = context .create_primary( @@ -38,14 +38,14 @@ mod test_create { mod test_load { use crate::common::{create_ctx_with_session, decryption_key_pub, signing_key_pub}; - use std::convert::TryFrom; use tss_esapi::{interface_types::reserved_handles::Hierarchy, structures::Auth}; #[test] fn test_load() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let prim_key_handle = context .create_primary( @@ -237,8 +237,9 @@ mod test_read_public { #[test] fn test_read_public() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::from_bytes(random_digest.as_bytes()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs index bdd3a5c6..a5fd4d2c 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/signing_and_signature_verification_tests.rs @@ -11,8 +11,9 @@ mod test_verify_signature { #[test] fn test_verify_signature() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -47,8 +48,9 @@ mod test_verify_signature { #[test] fn test_verify_wrong_signature() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -93,8 +95,9 @@ mod test_verify_signature { #[test] fn test_verify_wrong_signature_2() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -129,8 +132,9 @@ mod test_verify_signature { #[test] fn test_verify_wrong_signature_3() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -173,8 +177,9 @@ mod test_sign { #[test] fn test_sign() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -201,8 +206,9 @@ mod test_sign { #[test] fn test_sign_empty_digest() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( @@ -229,8 +235,9 @@ mod test_sign { #[test] fn test_sign_large_digest() { let mut context = create_ctx_with_session(); - let random_digest = context.get_random(16).unwrap(); - let key_auth = Auth::try_from(random_digest.as_bytes().to_vec()).unwrap(); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).unwrap(); + let key_auth = Auth::from_bytes(random_digest.as_slice()).unwrap(); let key_handle = context .create_primary( diff --git a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/symmetric_primitives_tests.rs b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/symmetric_primitives_tests.rs index 1e04bb59..650bf4fe 100644 --- a/tss-esapi/tests/integration_tests/context_tests/tpm_commands/symmetric_primitives_tests.rs +++ b/tss-esapi/tests/integration_tests/context_tests/tpm_commands/symmetric_primitives_tests.rs @@ -25,14 +25,10 @@ mod test_encrypt_decrypt_2 { .tr_set_auth(Hierarchy::Owner.into(), Auth::default()) .expect("Failed to set auth to empty for owner"); - let primary_key_auth = Auth::try_from( - context - .get_random(16) - .expect("get_rand call failed") - .as_bytes() - .to_vec(), - ) - .expect("Failed to create primary key auth"); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).expect("get_rand call failed"); + let primary_key_auth = + Auth::from_bytes(random_digest.as_slice()).expect("Failed to create primary key auth"); let primary_key_handle = context.execute_with_session(Some(AuthSession::Password), |ctx| { ctx.create_primary( @@ -78,14 +74,10 @@ mod test_encrypt_decrypt_2 { .build() .expect("Failed to create public for symmetric key public"); - let symmetric_key_auth = Auth::try_from( - context - .get_random(16) - .expect("get_rand call failed") - .as_bytes() - .to_vec(), - ) - .expect("Failed to create symmetric key auth"); + let mut random_digest = vec![0u8; 16]; + getrandom::getrandom(&mut random_digest).expect("get_rand call failed"); + let symmetric_key_auth = Auth::from_bytes(random_digest.as_slice()) + .expect("Failed to create symmetric key auth"); let symmetric_key_value = SensitiveData::try_from(vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16])