From 78be5098ccab77f2d7f3bc65f895a980a33c7c13 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 8 Aug 2019 18:12:14 -0700
Subject: [PATCH] Added wrapper for changing a key's authentication
 `wolfTPM2_ChangeAuthKey`.

---
 examples/tpm_test.h       |  1 +
 examples/wrap/wrap_test.c |  5 ++++
 src/tpm2_wrap.c           | 63 +++++++++++++++++++++++++++++++++++++++
 wolftpm/tpm2_wrap.h       |  2 ++
 4 files changed, 71 insertions(+)

diff --git a/examples/tpm_test.h b/examples/tpm_test.h
index 697fa542..c6084cb8 100755
--- a/examples/tpm_test.h
+++ b/examples/tpm_test.h
@@ -40,6 +40,7 @@
 
 static const char gStorageKeyAuth[] = "ThisIsMyStorageKeyAuth";
 static const char gKeyAuth[] =        "ThisIsMyKeyAuth";
+static const char gKeyAuthAlt[] =     "ThisIsMyKeyAltAuth";
 static const char gUsageAuth[] =      "ThisIsASecretUsageAuth";
 
 #ifndef WOLFTPM_ST33
diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c
index 48bc74c5..765fa643 100644
--- a/examples/wrap/wrap_test.c
+++ b/examples/wrap/wrap_test.c
@@ -353,6 +353,11 @@ int TPM2_Wrapper_Test(void* userCtx)
         &publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
     if (rc != 0) goto exit;
 
+    /* Test changing auth for a key */
+    rc = wolfTPM2_ChangeAuthKey(&dev, &eccKey, &storageKey.handle,
+        (byte*)gKeyAuthAlt, sizeof(gKeyAuthAlt)-1);
+    if (rc != 0) goto exit;
+
     /* Perform sign / verify */
     message.size = TPM_SHA256_DIGEST_SIZE; /* test message 0x11,0x11,etc */
     XMEMSET(message.buffer, 0x11, message.size);
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
index a74c18d6..6b88fd54 100644
--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@@ -512,6 +512,69 @@ int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     return rc;
 }
 
+int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const byte* auth, int authSz)
+{
+    int rc;
+    ObjectChangeAuth_In changeIn;
+    ObjectChangeAuth_Out changeOut;
+    Load_In  loadIn;
+    Load_Out loadOut;
+
+    if (dev == NULL || key == NULL || parent == NULL)
+        return BAD_FUNC_ARG;
+
+    /* set session auth for key */
+    dev->session[0].auth = key->handle.auth;
+
+    XMEMSET(&changeIn, 0, sizeof(changeIn));
+    changeIn.objectHandle = key->handle.hndl;
+    changeIn.parentHandle = parent->hndl;
+    if (auth) {
+        if (authSz > (int)sizeof(changeIn.newAuth.buffer))
+            authSz = (int)sizeof(changeIn.newAuth.buffer);
+        changeIn.newAuth.size = authSz;
+        XMEMCPY(changeIn.newAuth.buffer, auth, changeIn.newAuth.size);
+    }
+
+    rc = TPM2_ObjectChangeAuth(&changeIn, &changeOut);
+    if (rc != TPM_RC_SUCCESS) {
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2_ObjectChangeAuth failed %d: %s\n", rc,
+                wolfTPM2_GetRCString(rc));
+    #endif
+        return rc;
+    }
+
+    /* unload old key */
+    wolfTPM2_UnloadHandle(dev, &key->handle);
+
+    /* set session auth for parent key */
+    dev->session[0].auth = parent->auth;
+
+    /* Load new key */
+    XMEMSET(&loadIn, 0, sizeof(loadIn));
+    loadIn.parentHandle = parent->hndl;
+    loadIn.inPrivate = changeOut.outPrivate;
+    loadIn.inPublic = key->pub;
+    rc = TPM2_Load(&loadIn, &loadOut);
+    if (rc != TPM_RC_SUCCESS) {
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2_Load key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
+    #endif
+        return rc;
+    }
+    key->handle.dev  = dev;
+    key->handle.hndl = loadOut.objectHandle;
+    key->handle.auth = changeIn.newAuth;
+
+#ifdef DEBUG_WOLFTPM
+    printf("wolfTPM2_ChangeAuthKey: Key Handle 0x%x\n", (word32)key->handle.hndl);
+#endif
+
+    return rc;
+}
+
 int wolfTPM2_CreateAndLoadKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     WOLFTPM2_HANDLE* parent, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz)
diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
index b9398093..f363f1c3 100644
--- a/wolftpm/tpm2_wrap.h
+++ b/wolftpm/tpm2_wrap.h
@@ -119,6 +119,8 @@ WOLFTPM_API int wolfTPM2_StartSession(WOLFTPM2_DEV* dev,
 WOLFTPM_API int wolfTPM2_CreatePrimaryKey(WOLFTPM2_DEV* dev,
     WOLFTPM2_KEY* key, TPM_HANDLE primaryHandle, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz);
+WOLFTPM_API int wolfTPM2_ChangeAuthKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
+    WOLFTPM2_HANDLE* parent, const byte* auth, int authSz);
 WOLFTPM_API int wolfTPM2_CreateAndLoadKey(WOLFTPM2_DEV* dev,
     WOLFTPM2_KEY* key, WOLFTPM2_HANDLE* parent, TPMT_PUBLIC* publicTemplate,
     const byte* auth, int authSz);