Seems to work for me, what version of the tools are you using?

I modified the test and it seems to work as expected (if I drop the password in tpm2 sign it fails)

git diff
diff --git a/test/integration/tests/import.sh b/test/integration/tests/import.sh
index ff8f9b3b96eb..d22cdb41a73b 100644
--- a/test/integration/tests/import.sh
+++ b/test/integration/tests/import.sh
@@ -117,13 +117,13 @@ run_ecc_import_test() {
     shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
     data.in.digest
 
-    tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
+    tpm2 import -Q -G ecc -g "$name_alg" -p password -i private.ecc.pem -C $1 -u ecc.pub \
     -r ecc.priv
 
     tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
 
     # Sign in the TPM and verify with OSSL
-    tpm2 sign -Q -c ecc.ctx -g sha256 -d -f plain -o data.out.signed \
+    tpm2 sign -Q -c ecc.ctx -p password -g sha256 -d -f plain -o data.out.signed \
     data.in.digest
     openssl dgst -verify public.ecc.pem -keyform pem -sha256 \
     -signature data.out.signed data.in.raw


From: Ted Kim <ted.h.kim@oracle.com>
Sent: Monday, April 19, 2021 4:24 PM
To: tpm2@lists.01.org <tpm2@lists.01.org>
Subject: [tpm2] Re: does -p (password) work with tpm2_import ?
 

On 4/16/21 11:28 AM, Ted Kim wrote:
> Folks,
>
> I tried tpm2_import with the -p option with a password, and it doesn't
> seem to work for me.
>
> Subsequent tpm2_rsadecrypt commands using the key from the import seem
> to work fine without any -p option.
>
> * Does import work with -p ?  Is there something I have overlooked in
> this?

Further, if you actually supply the correct password to tpm2_rsadecrypt
command with the -p option, you get an auth error:

WARNING:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:305:Esys_RSA_Decrypt_Finish()
Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt()
Esys Finish ErrorCode (0x0000098e)
ERROR: Esys_RSA_Decrypt(0x98E) - tpm:session(1):the authorization HMAC
check failed and DA counter incremented
ERROR: Unable to run tpm2_rsadecrypt


Trying this same sequence with a key created with tpm2_create works
fine, so am thinking there is something wrong with tpm2_import not
processing the -p properly.

Can the maintainers look into this?

Thanks,
-ted



>
>
>
> I understand that tpm2_rsaencrypt does not take the -p option in line
> with the idea of using a "public" key.
>
> * Is it correct to say that if I want to have authorization on
> encryption, I have to use tpm2_encryptdecrypt (i.e. use symmetric keys) ?
>
>
>
> Thanks,
>
> -ted
>
>
_______________________________________________
tpm2 mailing list -- tpm2@lists.01.org
To unsubscribe send an email to tpm2-leave@lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s