private AuthHandleItem FindReservedHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedIn))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Key == authSession &&
handle.AssociatedCommand.Value.Value == cmd)
{
return(handle);
}
}
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Key == authSession &&
handle.AssociatedCommand.Value.Value == cmd)
{
return(handle);
}
}
return(null);
}
public void LoadAuthHandle(AuthHandle authHandle)
{
using (new LockContext(_authHandles, "AuthHandleManager::LoadAuthHandle"))
{
List <AuthHandleItem> myAuthHandles = _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut);
_logger.DebugFormat("LoadAuthHandle: #{0}", myAuthHandles.Count);
foreach (AuthHandleItem handleItem in myAuthHandles)
{
_logger.DebugFormat("LoadAuthHandles: Found auth handle {0} with status {1}", handleItem.AuthHandle, handleItem.Status);
if (handleItem.AuthHandle == authHandle &&
handleItem.Status != AuthHandleItem.AuthHandleStatus.SwappedIn)
{
//If we have an OSAP auth handle, make sure that the corresponding resource is loaded
AuthSessionNum authSession = handleItem.AssociatedCommand.Value.Key;
IAuthorizableCommand cmd = handleItem.AssociatedCommand.Value.Value;
KeyHandle newKeyHandle;
if (cmd.GetEntityType(authSession) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE && cmd.GetHandle(authSession) != KeyHandle.KEY_SRK)
{
cmd.KeyManager.LoadKey(cmd.GetHandle(authSession));
newKeyHandle = cmd.KeyManager.IdentifierToHandle(cmd.GetHandle(authSession));
if (handleItem.AuthHandle.EntityValue != newKeyHandle.Handle)
{
throw new ArgumentException(string.Format("OSAP with entity type={0}, entity value={1} could not be restored", handleItem.AuthHandle.EntityType, handleItem.AuthHandle.EntityValue));
}
}
SwapIn(handleItem);
_logger.DebugFormat("LoadAuthHandles: Swapped in {0}", handleItem.AuthHandle);
}
}
}
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum == AuthSessionNum.Auth1)
{
string keyIdentifier = _params.GetValueOf <string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", keyIdentifier);
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
}
else if (authSessionNum == AuthSessionNum.Auth2)
{
string identifier = _params.GetValueOf <string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", identifier);
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, parameters));
}
else
{
return(null);
}
}
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if(keyInfo == null)
return null;
AuthHandle authHandle;
using(AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if(authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if(cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
else
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
GenerateHMACResponse response = request.TypedExecute ();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return authHandle;
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum == AuthSessionNum.Auth1)
{
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()));
}
return(null);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, null));
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
if (authSessionNum == AuthSessionNum.Auth1)
{
return(_params.GetValueOf <string>("key"));
}
return(null);
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
if (authSessionNum == AuthSessionNum.Auth1)
{
return(TPMKeyHandles.TPM_KH_OWNER.ToString());
}
return(null);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
Parameters hmacKeyInfoParams = new Parameters();
hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("key"));
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams));
}
public AuthHandle GetAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
AuthHandleItem reservedHandle = null;
using (new LockContext(_authHandles, string.Format("AuthHandleManager::GetAuthHandle {0}", cmd)))
{
reservedHandle = FindReservedHandle(cmd, authSession);
// No reserved auth handle was found, create a new one
if (reservedHandle == null)
{
reservedHandle = CreateAuthHandle(cmd, authSession);
}
}
return(reservedHandle.AuthHandle);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
if (_params.GetValueOf <bool>("parent_key_srk"))
{
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()));
}
else
{
Parameters hmacKeyInfoParams = new Parameters();
hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("parent_identifier"));
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams));
}
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
string parentIdentifier = _params.GetValueOf <string>("parent");
if (parentIdentifier == KeyHandle.KEY_SRK)
{
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()));
}
else
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", parentIdentifier);
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
}
}
public virtual TPMEntityTypeLSB GetEntityType(AuthSessionNum austhSessionNum)
{
return(TPMEntityTypeLSB.TPM_ET_KEYHANDLE);
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
return null;
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum != AuthSessionNum.Auth1)
return null;
string parentIdentifier = _params.GetValueOf<string>("parent");
if(parentIdentifier == KeyHandle.KEY_SRK)
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", parentIdentifier);
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters);
}
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum == AuthSessionNum.Auth1)
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters());
return null;
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum != AuthSessionNum.Auth1)
return null;
string keyIdentifier = _params.GetValueOf<string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", keyIdentifier);
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters);
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
return(null);
}
public override TPMEntityTypeLSB GetEntityType(AuthSessionNum austhSessionNum)
{
return(TPMEntityTypeLSB.TPM_ET_OWNER);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
return null;
return new HMACKeyInfo (HMACKeyInfo.HMACKeyType.OwnerSecret, null);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum != AuthSessionNum.Auth1)
return null;
if(_params.GetValueOf<bool>("parent_key_srk"))
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
Parameters hmacKeyInfoParams = new Parameters();
hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf<string>("parent_identifier"));
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams);
}
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
if(authSessionNum == AuthSessionNum.Auth1)
return TPMKeyHandles.TPM_KH_OWNER.ToString();
return null;
}
public override TPMEntityTypeLSB GetEntityType(AuthSessionNum austhSessionNum)
{
return TPMEntityTypeLSB.TPM_ET_OWNER;
}
public abstract HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum);
public virtual string GetHandle(AuthSessionNum authSessionNum)
{
return null;
}
public override string GetHandle(AuthSessionNum authSessionNum)
{
if(authSessionNum == AuthSessionNum.Auth1)
return _params.GetValueOf<string>("key");
return null;
}
public abstract HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum);
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
return(null);
}
AuthHandle authHandle;
using (AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if (authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
}
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
}
else
{
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
}
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return(authHandle);
}
private AuthHandleItem CreateAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
TPMCommandRequest oiapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse oiapResponse = _tpmContext.TPM.Process(oiapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (oiapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating oiap auth handle");
}
AuthHandle newAuthHandle = oiapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OIAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else if (cmd.SupportsAuthType(AuthHandle.AuthType.OSAP))
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("entity_msb", TPMEntityTypeMSB.TPM_ET_XOR);
parameters.AddPrimitiveType("entity_lsb", cmd.GetEntityType(authSession));
string identifier = cmd.GetHandle(authSession);
if (identifier == null)
{
throw new TPMRequestException("Missing entity value for OSAP session");
}
parameters.AddPrimitiveType("entity_value", identifier);
TPMCommandRequest osapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OSAP, parameters);
TPMCommandResponse osapResponse = _tpmContext.TPM.Process(osapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (osapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating osap auth handle");
}
AuthHandle newAuthHandle = osapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OSAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else
{
throw new NotSupportedException("Command does not support a suitable AuthType");
}
}
public virtual TPMEntityTypeLSB GetEntityType(AuthSessionNum austhSessionNum)
{
return TPMEntityTypeLSB.TPM_ET_KEYHANDLE;
}
public virtual string GetHandle(AuthSessionNum authSessionNum)
{
return(null);
}
