parallaxsecond · ionut-arm · Nov 29, 2021 · Nov 26, 2021 · Nov 29, 2021 · Nov 29, 2021
diff --git a/e2e_tests/tests/all_providers/config/mod.rs b/e2e_tests/tests/all_providers/config/mod.rs
@@ -319,9 +319,34 @@ fn no_slot_number() {
 #[test]
 fn no_endorsement_auth() {
     set_config("no_endorsement_auth.toml");
-    // The service should still start, without the slot number.
+    // The service should still start, without the Endorsement auth.
     reload_service();
 
     let mut client = TestClient::new();
     let _ = client.ping().unwrap();
 }
+
+#[test]
+fn activate_cred_no_auth() {
+    set_config("no_endorsement_auth.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    // Both preparing for and executing an ActivateCredential should
+    // lead to a bad auth being used to generate the EK, hence "generic error"
+    assert_eq!(
+        client
+            .prepare_activate_credential(key_name.clone())
+            .unwrap_err(),
+        ResponseStatus::PsaErrorGenericError
+    );
+    assert_eq!(
+        client
+            .activate_credential_with_key(key_name, None, vec![0x33; 16], vec![0x22; 16])
+            .unwrap_err(),
+        ResponseStatus::PsaErrorGenericError
+    );
+}
diff --git a/e2e_tests/tests/per_provider/normal_tests/key_attestation.rs b/e2e_tests/tests/per_provider/normal_tests/key_attestation.rs
@@ -126,6 +126,7 @@ mod activate_credential {
     }
 
     #[test]
+    #[serial]
     fn activate_credential_bad_data() {
         let key_name = auto_test_keyname!();
         let mut client = TestClient::new();
@@ -135,12 +136,29 @@ mod activate_credential {
         client
             .generate_rsa_sign_key(key_name.clone())
             .expect("Failed to generate key");
+        let prep_activ_cred = client
+            .prepare_activate_credential(key_name.clone())
+            .expect("Failed to get parameters for MakeCredential");
+
+        let (cred, secret) = make_credential(prep_activ_cred);
+
+        // Wrong `secret` value
+        let error = client
+            .activate_credential(key_name.clone(), vec![0xDE; 52], vec![0xAD; 256])
+            .unwrap_err();
+        assert_eq!(error, ResponseStatus::PsaErrorInvalidArgument);
+
+        // Wrong `credential` size (after decryption)
+        let error = client
+            .activate_credential(key_name.clone(), vec![0xDE; 52], secret)
+            .unwrap_err();
+        assert_eq!(error, ResponseStatus::PsaErrorInvalidArgument);
 
-        let _error = client
-            .activate_credential(key_name, vec![0xDE; 52], vec![0xAD; 256])
+        // Wrong `secret` value
+        let error = client
+            .activate_credential(key_name, cred, vec![0xAD; 256])
             .unwrap_err();
-        // TODO: https://github.com/parallaxsecond/parsec/issues/539#issuecomment-978021705
-        // Figure out what error code we should expect here
+        assert_eq!(error, ResponseStatus::PsaErrorInvalidArgument);
     }
 
     #[test]

diff --git a/src/providers/tpm/key_attestation.rs b/src/providers/tpm/key_attestation.rs
@@ -7,6 +7,8 @@ use parsec_interface::operations::{attest_key, prepare_key_attestation};
 use parsec_interface::requests::{ProviderId, ResponseStatus, Result};
 use parsec_interface::secrecy::zeroize::Zeroizing;
 use std::convert::TryFrom;
+use tss_esapi::constants::response_code::Tss2ResponseCodeKind;
+use tss_esapi::Error;
 use tss_esapi::{abstraction::transient::ObjectWrapper, structures::Auth};
 
 impl Provider {
@@ -65,7 +67,7 @@ impl Provider {
             .get_make_cred_params(attested_key, None)
             .map_err(|e| {
                 format_error!("Failed to get MakeCredential parameters", e);
-                utils::to_response_status(e)
+                key_attest_response_status(e)
             })?;
 
         Ok(prepare_key_attestation::Result::ActivateCredential {
@@ -141,11 +143,32 @@ impl Provider {
             )
             .map_err(|e| {
                 format_error!("Failed to activate credential", e);
-                utils::to_response_status(e)
+                key_attest_response_status(e)
             })?;
 
         Ok(attest_key::Result::ActivateCredential {
             credential: credential.into(),
         })
     }
 }
+
+fn key_attest_response_status(error: Error) -> ResponseStatus {
+    match error {
+        Error::Tss2Error(e) => match e.kind() {
+            Some(Tss2ResponseCodeKind::BadAuth) => {
+                error!("Wrong authentication value for attesting key");
+                ResponseStatus::PsaErrorGenericError
+            }
+            Some(Tss2ResponseCodeKind::Value) => {
+                error!("Wrong parameter value for key attestation");
+                ResponseStatus::PsaErrorInvalidArgument
+            }
+            Some(Tss2ResponseCodeKind::Size) => {
+                error!("Wrong parameter size for key attestation");
+                ResponseStatus::PsaErrorInvalidArgument
+            }
+            _ => utils::to_response_status(error),
+        },
+        _ => utils::to_response_status(error),
+    }
+}