/// <summary> /// Cosntructs a new SealBlockCipher with the specified arguments, the seal auth is requested from the user /// on first use /// </summary> /// <param name="keyHandle"></param> /// <param name="session"></param> public SealBlockCipher(ClientKeyHandle keyHandle, TPMSession session, TPMPCRSelection pcrSelection) { _keyHandle = keyHandle; _session = session; _myId = session.GetFreeId(); _pcrSelection = pcrSelection; _keyInfo = _keyHandle.KeyInfo; }
/// <summary> /// Cosntructs a new BindBlockCipher with the specified arguments, the seal auth is requested from the user /// on first use /// </summary> /// <param name="keyHandle"></param> /// <param name="session"></param> public BindBlockCipher(ClientKeyHandle keyHandle, TPMSession session) { _keyHandle = keyHandle; _session = session; _keyInfo = _keyHandle.KeyInfo; if (_keyInfo.KeyUsage != TPMKeyUsage.TPM_KEY_BIND) { throw new ArgumentException(string.Format("The key '{0}' is not a binding key!", keyHandle.FriendlyName)); } }
/// <summary> /// Verifies a signature generated on the tpm /// </summary> /// <param name="keyInfo">The key blob loaded into the tpm</param> /// <param name="pubkey">the public key</param> /// <param name="data">data to verify for integrity</param> /// <param name="signature">signature to verify</param> /// <returns></returns> public static bool VerifySignature(TPMKey keyInfo, TPMPubkey pubkey, byte[] data, byte[] signature) { if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1) { byte[] localDataDigest = new HashProvider().Hash(new HashByteDataProvider(data)); ISigner signatureVerificator = pubkey.CreateSignatureVerificator(); signatureVerificator.BlockUpdate(data, 0, data.Length); return(signatureVerificator.VerifySignature(signature)); } else { throw new NotSupportedException(string.Format("The signature scheme '{0}' is not supported", keyInfo.AlgorithmParams.SigScheme)); } }
/// <summary> /// Creates an ISigner for quoting using this key /// </summary> /// <param name="pcrSelection"></param> /// <returns></returns> public ISigner CreateQuoter(TPMPCRSelection pcrSelection) { TPMKey keyInfo = KeyInfo; if (keyInfo.AlgorithmParams.AlgorithmId == TPMAlgorithmId.TPM_ALG_RSA && keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1) { return(new QuoteSigner(_tpmSession, this, pcrSelection)); } else { throw new NotSupportedException(string.Format("Quoter not supported for '{0}-{1}'", keyInfo.AlgorithmParams.AlgorithmId, keyInfo.AlgorithmParams.SigScheme)); } }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_nonce, 0, 20); _pcrSelection.WriteToTpmBlob(requestBlob); _keyManager.LoadKey(_params.GetValueOf <string>("key")); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); // Do signature verification TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce); byte[] signingData; using (TPMBlob blob = new TPMBlob()) { quoteInfo.WriteToTpmBlob(blob); signingData = blob.ToArray(); } Parameters pubKeyParams = new Parameters(); pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key")); TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams); TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest, _commandAuthHelper, _keyManager); if (pubKeyResponse.Status == false) { _log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key"); return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters())); } TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key"))); TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey"); if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false) { throw new ArgumentException("The TPM_Quote signature could not be verified"); } Parameters responseParams = new Parameters(); responseParams.AddValue("pcrData", pcrComposite); responseParams.AddPrimitiveType("sig", signature); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams)); }
protected override TPMCommandResponse InternalProcess() { string key = _params.GetValueOf <string>("key"); _keyManager.LoadKey(key); TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key)); if (keyInfo == null) { throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key)); } byte[] areaToSign = null; if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1) { //Client has hopefully put data in the right format ready for the tpm to process if (_params.IsDefined <byte[]>("areaToSign")) { areaToSign = _params.GetValueOf <byte[]>("areaToSign"); } //Client just sends data, tpm lib cares about the right, signature dependent, processing else if (_params.IsDefined <byte[]>("data")) { byte[] data = _params.GetValueOf <byte[]>("data"); areaToSign = new HashProvider().Hash(new HashByteDataProvider(data)); } if (areaToSign.Length != 20) { throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme)); } } else { throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId)); } TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.WriteUInt32((uint)areaToSign.Length); requestBlob.Write(areaToSign, 0, areaToSign.Length); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("sig", signature); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams)); }
public override void Read(Stream src) { base.Read(src); _tpmKey = StreamHelper.ReadTypedStreamSerializable <TPMKey>(src); }