PR feedback

Improved the tests to check for the exact response code expected.
Improved the documentation on `MakeCredentialParams` to detail what the
contents are meant for.

Signed-off-by: Ionut Mihalcea <[email protected]>

Author: ionut-arm

tss-esapi/src/abstraction/transient/key_attestation.rs

@@ -19,8 +19,22 @@ use std::convert::{TryFrom, TryInto};
 
 #[derive(Debug)]
 /// Wrapper for the parameters needed by MakeCredential
+///
+/// The 3rd party requesting proof that the key is indeed backed
+/// by a TPM would perform a MakeCredential and would thus require
+/// `name` and `attesting_key_pub` as inputs for that operation.
+///
+/// `public` is not strictly needed, however it is returned as a
+/// convenience block of data. Since the MakeCredential operation
+/// bakes into the encrypted credential the identity of the key to
+/// be attested via its `name`, the correctness of the `name` must
+/// be verifiable by the said 3rd party. `public` bridges this gap:
+///
+/// * it includes all the public parameters of the attested key
+/// * can be hashed (in its marshaled form) with the name hash
+/// (found by unmarshaling it) to obtain `name`
 pub struct MakeCredParams {
-    /// TPM name of the object
+    /// TPM name of the object being attested
     pub name: Vec<u8>,
     /// Encoding of the public parameters of the object whose name
     /// will be included in the credential computations

tss-esapi/tests/integration_tests/abstraction_tests/transient_key_context_tests.rs

@@ -790,15 +790,22 @@ fn activate_credential_wrong_key() {
     drop(basic_ctx);
 
     // Create a new Transient key context and activate the credential
+    // Validation fails within the TPM because the credential HMAC is
+    // associated with a different object (so the integrity check fails).
     let mut ctx = create_ctx();
-    let _ = ctx
+    let e = ctx
         .activate_credential(
             wrong_obj,
             None,
             cred.value().to_vec(),
             secret.value().to_vec(),
         )
         .unwrap_err();
+    if let Error::Tss2Error(e) = e {
+        assert_eq!(e.kind(), Some(Tss2ResponseCodeKind::Integrity));
+    } else {
+        panic!("Got crate error ({}) when expecting an error from TPM.", e);
+    }
 }
 
 #[test]
@@ -821,11 +828,23 @@ fn activate_credential_wrong_data() {
         params,
     };
 
-    let _ = ctx
+    // No data (essentially wrong size)
+    let e = ctx
         .activate_credential(obj.clone(), None, vec![], vec![])
         .unwrap_err();
+    if let Error::Tss2Error(e) = e {
+        assert_eq!(e.kind(), Some(Tss2ResponseCodeKind::Size));
+    } else {
+        panic!("Got crate error ({}) when expecting an error from TPM.", e);
+    }
 
-    let _ = ctx
+    // Correct size but gibberish
+    let e = ctx
         .activate_credential(obj, None, vec![0xaa; 52], vec![0x55; 256])
         .unwrap_err();
+    if let Error::Tss2Error(e) = e {
+        assert_eq!(e.kind(), Some(Tss2ResponseCodeKind::Value));
+    } else {
+        panic!("Got crate error ({}) when expecting an error from TPM.", e);
+    }
 }