Fix "tpm2_ptool verify --sopin" without "--userpin"

When using option `--sopin` in `tpm2_ptool verify`, `usersealauth` is not initialized but is being used. In practise, the value in `verify_output['wrappingkey']['auth']` is the same as the one in `verify_output['pin']['user']`, so make sure this is set only when the user PIN is really used. Fixes: tpm2-software#624 Signed-off-by: Nicolas Iooss <nicolas.iooss@ledger.fr>
niooss-ledger · Dec 28, 2020 · 2a82d32 · 2a82d32
1 parent 39f1e0b
commit 2a82d32
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/tools/tpm2_pkcs11/commandlets_token.py b/tools/tpm2_pkcs11/commandlets_token.py
@@ -133,8 +133,11 @@ def verify(db, args):
 
             verify_output['wrappingkey'] = {
                 'hex' : bytes.hex(wrappingkeyauth),
-                'auth' : usersealauth['hash']
             }
+            if userpin != None:
+                verify_output['wrappingkey']['auth'] = usersealauth['hash']
+            if sopin != None:
+                verify_output['wrappingkey']['soauth'] = sosealauth['hash']
 
             wrapper = AESAuthUnwrapper(wrappingkeyauth)