// AIKChallengeResponse takes the output from GenerateChallenge along with the // encrypted AIK key blob. The TPM then decrypts the asymmetric challenge with // its EK in order to obtain the AES key, and uses the AES key to decrypt the // symmetrically encrypted data. It verifies that this data blob corresponds // to the AIK it was given, and if so hands back the secret contained within // the symmetrically encrypted data. func AIKChallengeResponse(context *tspi.Context, aikblob []byte, asymchallenge []byte, symchallenge []byte) (secret []byte, err error) { var wellKnown [20]byte srk, err := context.LoadKeyByUUID(tspi.TSS_PS_TYPE_SYSTEM, tspi.TSS_UUID_SRK) if err != nil { return nil, err } srkpolicy, err := srk.GetPolicy(tspi.TSS_POLICY_USAGE) if err != nil { return nil, err } srkpolicy.SetSecret(tspi.TSS_SECRET_MODE_SHA1, wellKnown[:]) tpm := context.GetTPM() tpmpolicy, err := context.CreatePolicy(tspi.TSS_POLICY_USAGE) if err != nil { return nil, err } tpm.AssignPolicy(tpmpolicy) tpmpolicy.SetSecret(tspi.TSS_SECRET_MODE_SHA1, wellKnown[:]) aik, err := context.LoadKeyByBlob(srk, aikblob) if err != nil { return nil, err } secret, err = tpm.ActivateIdentity(aik, asymchallenge, symchallenge) return secret, err }