Closed Firstyear closed 7 months ago
Nope you are not overlooking something. The ticket should be optional.
From the commands part of the 1.59 spec:
proof that digest was created by the TPM If keyHandle is not a restricted signing key, then this may be a NULL Ticket with tag = TPM_ST_CHECKHASH
And then handle the None case inside the method.
As workaround you could probably do
let validation = HashcheckTicket::try_from(TPMT_TK_HASHCHECK::default()).unwrap();
Not sure though I have not tried it.
In the tests in a lot fo places you can see that they do this:
let validation = TPMT_TK_HASHCHECK {
tag: TPM2_ST_HASHCHECK,
hierarchy: TPM2_RH_NULL,
digest: Default::default(),
};
context
.sign(
key_handle,
Digest::try_from(Vec::<u8>::new()).unwrap(),
SignatureScheme::Null,
validation.try_into().unwrap(),
)
.unwrap_err();
If you need a work around but I am fixing this properly right now.
Thank you! I'll wait for this PR and just work from git main in my dependent projects for now.
https://docs.rs/tss-esapi/latest/tss_esapi/struct.Context.html#method.sign requires a hashcheck ticket, however an unrestricted key should not need the hashcheck. Should there be two sign apis, one for restricted_sign and one for unrestricted?
Or am I overlooking something obvious here?