tpm2_policyauthorize - Clarification on workflows that throw ERROR tpm:parameter(1):the handle is not correct for the use

[OptioAuth]

Using the work flow for tpm2_policyauthorize test in version 5.6 and 5.7.35

Pardon my audacity, I have nowhere else to turn.

tpm2 flushcontext -t

tpm2 createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2 create -C primary.ctx -G rsa -u signer.pub -r signer.priv -a "sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth" -l sha256:0
tpm2 load -C primary.ctx -u signer.pub -r signer.priv -c signer.ctx -n signer_key.name

tpm2 startauthsession -S trial_session.ctx
tpm2_policysigned -S trial_session.ctx -g sha256 -c signer.ctx -L policy.digest
tpm2 getpolicydigest -S trial_session.ctx -o inner.policy
tpm2_sign -c signer.ctx -d policy.digest -o policy.signature
tpm2 verifysignature -c signer.ctx -d policy.digest -s policy.signature -t sig.ticket
tpm2_policyauthorize -S trial_session.ctx -n signer_key.name -i policy.digest -L policy.authorized -t verify.ticket
tpm2 flushcontext trial_session.ctx

Everything A.O.K so far

Test 1 policy.digest

tpm2 startauthsession --policy-session -S policy_session.ctx
tpm2 policyauthorize -S policy_session.ctx -i policy.digest -n signer_key.name -t sig.ticket -L authorized.policy -V

INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001cb)
ERROR on line: "53" in file: "lib/log.h": Esys_ContextLoad(0x1CB) - tpm:parameter(1):the handle is not correct for the use
ERROR on line: "272" in file: "lib/tpm2_session.c": Could not load session context
ERROR on line: "274" in file: "tools/tpm2_tool.c": Unable to run policyauthorize

Test 2 inner.policy

tpm2 startauthsession --policy-session -S policy_session.ctx
tpm2 policyauthorize -S policy_session.ctx -i inner.policy -n signer_key.name -t sig.ticket -L authorized.policy -V

INFO on line: "419" in file: "lib/files.c": Assuming tpm context file
INFO on line: "350" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x3000000
WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000001cb)
ERROR on line: "53" in file: "lib/log.h": Esys_ContextLoad(0x1CB) - tpm:parameter(1):the handle is not correct for the use
ERROR on line: "272" in file: "lib/tpm2_session.c": Could not load session context
ERROR on line: "274" in file: "tools/tpm2_tool.c": Unable to run policyauthorize

No matter how I slice it and try different permutations of the workflow,

I end up with the same error.

This workflow is repeatable in Google Cloud Shell.

I am told that my sig.ticket and policy.digest HEX must match using this test below.

They never match up. I am at a loss.

wc -c inner.policy policy.digest sig.ticket policy.signature
32 inner.policy
32 policy.digest
40 sig.ticket
262 policy.signature

tail -c 32 sig.ticket | xxd -p
ab0245bd5377eca0748a8fe311142cc6104c987d7e424fd7fe5ec7f914d0
6d7e

xxd -p inner.policy
3a1611b85ef986955b32ab1b6ef965f526026fbbaaea9fa22349e367041e
55d1

xxd -p policy.digest
3a1611b85ef986955b32ab1b6ef965f526026fbbaaea9fa22349e367041e
55d1

tpm2 readpublic -c signer.ctx

name: 000b1e7c09574ad169381816937dfd911a2ece7766d3d371a468deca2be39855b892
qualified name: 000bba0a75b0d7cef2dd5e3497e413c4eb208deee182d637e35d84b0499c059acf13
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|sign
raw: 0x40072
type:
value: rsa
raw: 0x1
exponent: 65537
bits: 2048
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: null
raw: 0x10
sym-mode:
value: (null)
raw: 0x0
sym-keybits: 0
rsa: be718622162e8206c61eb7b6332a3f4681b2b1dcdc858619382abb029a88254917c86d1f6a6b04078b6cdb82ee67ed8d07386392dba6f2eef0c5df1b7fc7b3aac0946fb225158b7e7ca4260ff6cbcfe404075bb52d16c222b41f35f5225c9e644c67a2a2e3889d57a7324ef2498c6b11bbcf7e758cbbe5312f68ebe68c173a039365ee4995e371dc4692593617c6496e3aab9ce09d43a46d245a414533bece6f5a2fd0450417413755b36e68307357cfcc364882407725788c5e82e97001b8a798a50e40a69334d334c15b0d7078cd35e7410e85a2ea7732fb593c6396e66254fffefce962543ca04055f4ef475fbd3842f80320d06629450839e817f8d456f5

tpm2 sessionconfig policy_session.ctx
Session-Handle: 0x03000002
Session-Attributes: continuesession
Session-Digest: 0000000000000000000000000000000000000000000000000000000000000000

I am willing and able to dig into the C library in tpm2-tss and tpm2-tools.

Cheers and Thank You
Jay

[OptioAuth]

One more workflow. I notice that in my tpm2 readpublic i had null for scheme: and sym-alg:
Thinking "maybe" I got my lines crossed with tpm2. The next worflow explicitly sets both. Yet, still same error on tpm2 policyauthorize

tpm2 flushcontext -t

test 3 rsassa

tpm2 createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2 create -C primary.ctx -G rsa2048:rsassa-sha256
-u signer.pub -r signer.priv
-a "sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth"
tpm2 load -C primary.ctx -u signer.pub -r signer.priv -c signer.ctx -n signer_key.name

tpm2 startauthsession -S trial_session.ctx
tpm2 policypcr -S trial_session.ctx -l sha256:0 -L inner.policy
tpm2 flushcontext trial_session.ctx

tpm2 sign -c signer.ctx -g sha256 -d inner.policy -o policy.sig
tpm2 verifysignature -c signer.ctx -d inner.policy -s policy.sig -t sig.ticket

OK, so far, this worked

tpm2 startauthsession --policy-session -S policy_session.ctx
tpm2 policyauthorize -S policy_session.ctx -i inner.policy -n signer_key.name -t sig.ticket -L authorized.policy

WARNING:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:309:Esys_PolicyAuthorize_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:111:Esys_PolicyAuthorize() Esys Finish ErrorCode (0x000001c4)
ERROR: Esys_PolicyAuthorize(0x1C4) - tpm:parameter(1):value is out of range or is not correct for the context
ERROR: Could not build tpm authorized policy
ERROR: Unable to run policyauthorize

But, just for fun. Here's my signer context:

tpm2 readpublic -c signer.ctx
name: 000ba9f5a4e30a92f7bb5191bb0412860c4c5be710b86221780684c66f7c3953c3b0
qualified name: 000baaac87d03f9d6ad5317ca1df71c812fbe77023591d2ebd3f37f1f18cb55eb281
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|sign
raw: 0x40072
type:
value: rsa
raw: 0x1
exponent: 65537
bits: 2048
scheme:
value: rsassa
raw: 0x14
scheme-halg:
value: sha256
raw: 0xb
sym-alg:
value: null
raw: 0x10
sym-mode:
value: (null)
raw: 0x0
sym-keybits: 0
rsa: a77299f1656d39b1e33f89c3099314edbd49a8e15ed3f966e4c07a17116dae8859bff5845f4f0a2a20b130e114b7a9f5b071741df6cac20e0ccb18d7efdaf4db0afb191540785cf31c3b38d9360daf5aecef0d77248238d621cf5b12d8875a0b42b596a5efe95ed865f94f048c0524de6a0d00381ce0a5fb2773db19da651ee878a06895a72ffb0c191b4e9e0d22fd29e8e1ce27f0753e6da497b60d878d1be626a452459feac4c58ebb7faab843768577af1e31fc1048eb5167e0876a018b0e05f4d3578d54c6211118d591feb6bd0ba42b2b30e92a5c5bf5bb657d0a803f661dd2217d63c8e2e35a6bd6f375b0aa7b80b27c0c18a71d1477b24742956c36e5

Sure would be swell if I knew more from the ERROR message other than digging into code.

Cheers and Thank You
Jay

[JuergenReppSIT]

I tried to reproduce the error of "Test 1". Instead of Esys_ContextLoad() Esys Finish ErrorCode (0x000001cb) I get:
Esys_PolicyAuthorize() Esys Finish ErrorCode (0x000001c4)
This error occurs because no policy command was executed that corresponds to the policy digest of the policy that was signed.
Which version of the tools and the tss are you using?

[OptioAuth]

I get same error on both tpm2 version="5.7-53-gc2d1ee7c and version="5.6". Yes, I also get a Esys_PolicyAuthorize() Esys Finish ErrorCode (0x000001c4)

Not sure where this 0x01cb came from. I usually get a 0x01c4.

Just ran it again to confirm:

tpm2 startauthsession --policy-session -S policy_session.ctx
tpm2 policyauthorize -S policy_session.ctx -i policy.digest -n signer_key.name -t sig.ticket -L authorized.policy -V
INFO on line: "434" in file: "lib/files.c": Assuming tpm context file
INFO on line: "365" in file: "lib/files.c": load: TPMS_CONTEXT->savedHandle: 0x300000b
INFO on line: "315" in file: "lib/tpm2_session.c": Restored session: ESYS_TR(0x40468367) attrs(0x1)
WARNING:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:309:Esys_PolicyAuthorize_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_PolicyAuthorize.c:111:Esys_PolicyAuthorize() Esys Finish ErrorCode (0x000001c4)
ERROR on line: "53" in file: "lib/log.h": Esys_PolicyAuthorize(0x1C4) - tpm:parameter(1):value is out of range or is not correct for the context
ERROR on line: "49" in file: "tools/tpm2_policyauthorize.c": Could not build tpm authorized policy
INFO on line: "412" in file: "lib/tpm2_session.c": Saved session: ESYS_TR(0x40468367)
INFO on line: "262" in file: "lib/files.c": Save TPMS_CONTEXT->savedHandle: 0x300000b
ERROR on line: "276" in file: "tools/tpm2_tool.c": Unable to run policyauthorize