williamcroberts · June 12, 2023 20:51
diff --git a/wrap_sealdata.py b/wrap_sealdata.py
 #/usr/bin/env python3

 from tpm2_pytss import *
 from tpm2_pytss.utils import wrap

 # This would come from the client, but we create it here for clarity. You
 # could serialize and deserialize a TPM2Bw_PUBLIC of the key to use for object
 # protections and just open the file here.
 e = ESAPI()
 primary_ctx, primary_public = e.create_primary(None)[0:2]

 # Generate the new public and sensitive to wrap which produces the TPM2B_PRIVATE that can be sent to the client
 # Wrap supports accepting or generating an inner wrapping key, but then you need to get this key to the remote, so
 # most folks DONT use it, as one layer of wrapping with aes128cfb is enough. The output seed for import is encrypted
 # with the parents public using an RSA OAEP or ECDH encryption scheme.
 hmac_sens, hmac_pub = TPM2B_SENSITIVE.keyedhash_from_secret(b"Secret\n", objectAttributes=TPMA_OBJECT.USERWITHAUTH)
 hmac_priv, hmac_seed = wrap(primary_public.publicArea, hmac_pub, hmac_sens)[1:3]

 # Import on the client TPM.
 hmac_priv_2 = e.import_(primary_ctx,
    TPM2B_DATA(), # No inner encryption used, wrap() supports it if desired.
    hmac_pub, hmac_priv,
    hmac_seed, # the seed is encrypted RSA OAEP with parent public or an ECDH scheme using ECC
    TPMT_SYM_DEF_OBJECT.parse("null") # Set this to aes128cfb if you want the inner encryption
    )

 hmac_ctx = e.load(primary_ctx, hmac_priv_2, hmac_pub)
 secret = e.unseal(hmac_ctx)
 print(f"Secret: {bytes(secret)}")
	#/usr/bin/env python3

	from tpm2_pytss import *
	from tpm2_pytss.utils import wrap

	# This would come from the client, but we create it here for clarity. You
	# could serialize and deserialize a TPM2Bw_PUBLIC of the key to use for object
	# protections and just open the file here.
	e = ESAPI()
	primary_ctx, primary_public = e.create_primary(None)[0:2]

	# Generate the new public and sensitive to wrap which produces the TPM2B_PRIVATE that can be sent to the client
	# Wrap supports accepting or generating an inner wrapping key, but then you need to get this key to the remote, so
	# most folks DONT use it, as one layer of wrapping with aes128cfb is enough. The output seed for import is encrypted
	# with the parents public using an RSA OAEP or ECDH encryption scheme.
	hmac_sens, hmac_pub = TPM2B_SENSITIVE.keyedhash_from_secret(b"Secret\n", objectAttributes=TPMA_OBJECT.USERWITHAUTH)
	hmac_priv, hmac_seed = wrap(primary_public.publicArea, hmac_pub, hmac_sens)[1:3]

	# Import on the client TPM.
	hmac_priv_2 = e.import_(primary_ctx,
	TPM2B_DATA(), # No inner encryption used, wrap() supports it if desired.
	hmac_pub, hmac_priv,
	hmac_seed, # the seed is encrypted RSA OAEP with parent public or an ECDH scheme using ECC
	TPMT_SYM_DEF_OBJECT.parse("null") # Set this to aes128cfb if you want the inner encryption
	)

	hmac_ctx = e.load(primary_ctx, hmac_priv_2, hmac_pub)
	secret = e.unseal(hmac_ctx)
	print(f"Secret: {bytes(secret)}")