func Seal()

in tpm/tpm.go [51:92]

• 32 lines of code
• 7 McCabe index (conditional complexity)

func Seal(tpmPath string, pcr int, srkPassword, objectPassword string, dataToSeal []byte) ([]byte, []byte, error) {
	rwc, err := tpm2.OpenTPM(tpmPath)
	if err != nil {
		return nil, nil, fmt.Errorf("can't open TPM %q: %v", tpmPath, err)
	}
	defer rwc.Close()

	// Create the parent key against which to seal the data
	srkHandle, _, err := tpm2.CreatePrimary(rwc, tpm2.HandleOwner, tpm2.PCRSelection{}, "", srkPassword, srkTemplate)
	if err != nil {
		return nil, nil, fmt.Errorf("can't create primary key: %v", err)
	}
	defer tpm2.FlushContext(rwc, srkHandle)

	glog.Infof("Created parent key with handle: 0x%x\n", srkHandle)

	// Note the value of the pcr against which we will seal the data
	pcrVal, err := tpm2.ReadPCR(rwc, pcr, tpm2.AlgSHA256)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to read PCR: %v", err)
	}
	glog.Infof("PCR %v value: 0x%x\n", pcr, pcrVal)

	// Get the authorization policy that will protect the data to be sealed
	sessHandle, policy, err := policyPCRPasswordSession(rwc, pcr, objectPassword)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to get policy: %v", err)
	}
	if err := tpm2.FlushContext(rwc, sessHandle); err != nil {
		return nil, nil, fmt.Errorf("unable to flush session: %v", err)
	}
	glog.Infof("Created authorization policy: 0x%x\n", policy)

	// Seal the data to the parent key and the policy
	privateArea, publicArea, err := tpm2.Seal(rwc, srkHandle, srkPassword, objectPassword, policy, dataToSeal)
	if err != nil {
		return nil, nil, fmt.Errorf("unable to seal data: %v", err)
	}
	glog.Infof("Sealed data: 0x%x\n", privateArea)

	return privateArea, publicArea, nil
}