create_tpm2_key: fix ordering of password collection and policy file parsing

The current order goes collect auth first before parsing the policy
file which leads to the unfortunate consequence that we'll make you
type in a verified password before we error out and tell you you don't
have the correct PolicyAuthValue command in your policy file.  Reorder
this so we only collect the password after we've verified the policy
correctly supports it.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

1 files changed, 14 insertions, 12 deletions

diff --git a/create_tpm2_key.c b/create_tpm2_key.c
index dc89199..9845520 100644
--- a/create_tpm2_key.c
+++ b/create_tpm2_key.c
@@ -726,18 +726,6 @@ int main(int argc, char **argv)
 		rsa = 0;
 	}
 
-	if (auth) {
-		if (key) {
-			/* key length already checked */
-			strcpy(auth, key);
-		} else {
-			if (EVP_read_pw_string(auth, 128, "Enter TPM key authority: ", 1)) {
-				fprintf(stderr, "Passwords do not match\n");
-				exit(1);
-			}
-		}
-	}
-
 	dir = tpm2_set_unique_tssdir();
 	rc = tpm2_create(&tssContext, dir);
 	if (rc) {
@@ -774,6 +762,20 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (auth) {
+		if (key) {
+			/* key length already checked */
+			strcpy(auth, key);
+		} else {
+			if (EVP_read_pw_string(auth, 128, "Enter TPM key authority: ", 1)) {
+				fprintf(stderr, "Passwords do not match\n");
+				reason = "authorization";
+				rc = NOT_TPM_ERROR;
+				goto out_flush;
+			}
+		}
+	}
+
 	if (wrap) {
 		Import_In iin;
 		Import_Out iout;