in azure-protected-vm-secrets/Tss2Wrapper.cpp [236:313]
std::vector<unsigned char> Tss2Wrapper::Tss2RsaDecrypt(std::vector<unsigned char> const&encryptedData) {
TPM2B_PUBLIC* out_public = 0;
ESYS_TR ephemeral_handle = ESYS_TR_NONE;
std::vector<unsigned char> retval = std::vector<unsigned char>();
ESYS_TR object_handle = {};
ESYS_TR srk_handle = {};
ESYS_TR keyHandle, session;
TSS2_RC r;
ESYS_TR primaryHandle = ESYS_TR_NONE;
TPM2B_PUBLIC_KEY_RSA cipher = { 0 };
TPM2B_PUBLIC_KEY_RSA* plain2 = nullptr;
TPM2B_DATA* null_data = nullptr;
TPM2B_AUTH authValue = {
0, // size
{} // buffer
};
r = Esys_TR_SetAuth(this->ctx->Get(), ESYS_TR_RH_OWNER, &authValue);
if (r != TSS2_RC_SUCCESS)
{
// TpmError, Subclass Auth, setAuthError
throw TpmError(r, "Failed to set auth",
ErrorCode::TpmError_Auth_setAuthError);
}
r = Esys_TR_FromTPMPublic(
this->ctx->Get(), KEYHANDLE,
ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
&primaryHandle);
if (r != TSS2_RC_SUCCESS)
{
// TpmError, Subclass Handles, handlePresentError
throw TpmError(r, "Failed to read tpm object from handle",
ErrorCode::TpmError_Handles_handlePresentError);
}
r = Esys_TR_SetAuth(this->ctx->Get(), primaryHandle,
&authValue);
if (r != TSS2_RC_SUCCESS)
{
// TpmError, Subclass Auth, setAuthError
throw TpmError(r, "Failed to set auth",
ErrorCode::TpmError_Auth_setAuthError);
}
// Set plaintext data
TPM2B_PUBLIC_KEY_RSA plain = { 0 };
std::copy(encryptedData.begin(), encryptedData.end(), cipher.buffer);
cipher.size = encryptedData.size();
// Set scheme
TPMT_RSA_DECRYPT scheme;
scheme.scheme = TPM2_ALG_RSAES;
// Execute decrypt
r = Esys_RSA_Decrypt(this->ctx->Get(), primaryHandle,
ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
&cipher, &scheme, null_data, &plain2);
if (r != TSS2_RC_SUCCESS)
{
// CryptoError, Subclass TpmRsa, decryptError
throw TpmError(r, "Failed to Decrypt data",
ErrorCode::CryptographyError_TpmRsa_decryptError);
}
retval.insert(retval.end(), plain2->buffer, plain2->buffer + plain2->size);
Esys_Free(null_data);
Esys_Free(plain2);
return retval;
}