public override TPMCommandResponse Process()
{
if (_params.IsDefined <ITPMHandle>("handle") == false ||
_params.IsDefined <byte[]>("context_blob") == false)
{
return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_LoadContext, new Parameters()));
}
ITPMHandle handle = _params.GetValueOf <ITPMHandle>("handle");
TPMBlob blob = new TPMBlob();
blob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_LoadContext);
blob.WriteUInt32(handle.Handle);
blob.WriteBool(handle.ForceHandle);
blob.WriteUInt32((uint)handle.ContextBlob.Length);
blob.Write(handle.ContextBlob, 0, handle.ContextBlob.Length);
TPMBlob responseBlob = TransmitMe(blob);
responseBlob.SkipHeader();
handle.Handle = responseBlob.ReadUInt32();
Parameters responseParameters = new Parameters();
responseParameters.AddValue("handle", handle);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadContext, responseParameters));
}
public override TPMCommandResponse Process()
{
byte[] nonce = NonceGenerator.GenerateByteNonce(20);
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadPubek);
requestBlob.Write(nonce, 0, nonce.Length);
requestBlob.WriteCmdSize();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader();
long posStart = responseBlob.Position;
TPMPubkeyCore pubkey = TPMPubkeyCore.CreateFromTPMBlob(responseBlob);
long posEnd = responseBlob.Position;
Digest digest = new Digest(responseBlob, 20);
if (digest.CompareTo(
new HashStreamDataProvider(responseBlob, posStart, posEnd - posStart, false),
new HashByteDataProvider(nonce)) == false)
{
throw new TPMResponseException("Local digest does not match remote digest");
}
Parameters responseParams = new Parameters();
responseParams.AddValue(TPMPubkey.PARAM_TPM_PUBKEY, pubkey);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadPubek, responseParams));
}
/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(KeyHandleItem item)
{
if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid key handle state for swap in operation");
}
if (AvailableKeySlots <= LoadedKeys)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.KeyHandle);
swapInParameters.AddPrimitiveType("context_blob", item.KeyHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Keymanager: Unknown error while swap in operation");
}
item.KeyHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
}
/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if (authSeal.Hashed == false)
{
authSeal.Hash();
}
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return(sealResponse.Parameters.GetValueOf <byte[]>("data"));
}
finally
{
if (authSeal != null)
{
authSeal.ClearHash();
}
}
}
/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(AuthHandleItem item)
{
//uint oldHandle = item.AuthHandle.Handle;
if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid auth handle state for swap in operation");
}
using (new LockContext(_authHandles, "AuthHandleManager::SwappedIn"))
{
if (AvailableSessionSlots <= LoadedSessions)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.AuthHandle);
swapInParameters.AddPrimitiveType("context_blob", item.AuthHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap in operation");
}
item.AuthHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
item.Status = AuthHandleItem.AuthHandleStatus.SwappedIn;
}
}
/// <summary>
/// Performs the actual swap-out operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedOut(AuthHandleItem item)
{
if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedIn)
{
throw new ArgumentException("Invalid auth handle state for swap out operation");
}
using (new LockContext(_authHandles, "AuthHandleManager::SwappedOut"))
{
Parameters swapOutParameters = new Parameters();
swapOutParameters.AddValue("handle", item.AuthHandle);
TPMCommandRequest swapOutRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_SaveContext, swapOutParameters);
TPMCommandResponse swapOutResponse = _tpmContext.TPM.Process(swapOutRequest);
if (swapOutResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out operation");
}
item.Status = AuthHandleItem.AuthHandleStatus.SwappedOut;
item.AuthHandle.ContextBlob = swapOutResponse.Parameters.GetValueOf <byte[]>("context_blob");
}
}
/// <summary>
/// Performs the actual swap-out operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedOut(KeyHandleItem item)
{
if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedIn)
{
throw new ArgumentException("Invalid auth handle state for swap out operation");
}
Parameters swapOutParameters = new Parameters();
swapOutParameters.AddValue("handle", item.KeyHandle);
TPMCommandRequest swapOutRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_SaveContext, swapOutParameters);
TPMCommandResponse swapOutResponse = _tpmContext.TPM.Process(swapOutRequest);
if (swapOutResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out operation");
}
//For key handles the tpm does not release the memory after save context
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, swapOutParameters);
TPMCommandResponse flushResponse = _tpmContext.TPM.Process(flushRequest);
if (flushResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out (flush) operation");
}
item.Status = KeyHandleItem.KeyHandleStatus.SwappedOut;
item.KeyHandle.ContextBlob = swapOutResponse.Parameters.GetValueOf <byte[]>("context_blob");
}
public override TPMCommandResponse Process()
{
byte[] nonce = NonceGenerator.GenerateByteNonce (20);
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadPubek);
requestBlob.Write (nonce, 0, nonce.Length);
requestBlob.WriteCmdSize ();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader ();
long posStart = responseBlob.Position;
TPMPubkeyCore pubkey = TPMPubkeyCore.CreateFromTPMBlob(responseBlob);
long posEnd = responseBlob.Position;
Digest digest = new Digest (responseBlob, 20);
if (digest.CompareTo (
new HashStreamDataProvider (responseBlob, posStart, posEnd - posStart, false),
new HashByteDataProvider (nonce)) == false)
{
throw new TPMResponseException ("Local digest does not match remote digest");
}
Parameters responseParams = new Parameters ();
responseParams.AddValue (TPMPubkey.PARAM_TPM_PUBKEY, pubkey);
return new TPMCommandResponse (true, TPMCommandNames.TPM_CMD_ReadPubek, responseParams);
}
/// <summary>
/// Reads the configured tpm devices from the configuration and
/// sets up the corresponding tpm contexts
/// </summary>
private void SetupTPMContexts()
{
IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection("connections");
foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices)
{
try
{
_logger.InfoFormat("Setting up tpm context '{0}'", device.TPMName);
TPMWrapper tpmDevice = new TPMWrapper();
tpmDevice.Init(device.TPMType, device.Parameters);
TPMContext tpmContext = new TPMContext(device.TPMName, tpmDevice);
_tpmContexts.Add(device.TPMName, tpmContext);
_logger.InfoFormat("Flushing device '{0}'", device.TPMName);
foreach (TPMResourceType resourceType in new TPMResourceType[] {
TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY
})
{
Parameters listLoadedHandlesParameters = new Parameters();
listLoadedHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listLoadedHandlesParameters.AddPrimitiveType("handle_type", resourceType);
TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability,
listLoadedHandlesParameters);
TPMCommandResponse response = tpmDevice.Process(listLoadedHandlesRequest);
if (response.Status == false)
{
throw new Exception("An unknown tpm exception while flushing occured");
}
foreach (uint handle in response.Parameters.GetValueOf <HandleList> ("handles"))
{
Parameters flushParameters = new Parameters();
flushParameters.AddValue("handle", HandleFactory.Create(resourceType, handle));
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters);
TPMCommandResponse flushResponse = tpmDevice.Process(flushRequest);
if (flushResponse.Status == false)
{
throw new Exception("Something went wrong while flushing");
}
}
}
_logger.InfoFormat("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType);
}
catch (Exception ex)
{
_logger.FatalFormat("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex);
}
///Set the Assembly search order for incoming Parameters so that core classes are always at first
Parameters.AssemblySearchOrder = new Assembly[] {
typeof(TPMWrapper).Assembly, //lib core
typeof(ITypedParameter).Assembly
}; //lib common
}
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OIAP);
requestBlob.WriteCmdSize();
_commandAuthHelper.EnsureFreeSlot();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader();
AuthHandleCore authHandle = new AuthHandleCore(AuthHandle.AuthType.OIAP, responseBlob);
_responseParameters = new Parameters();
_responseParameters.AddValue("auth_handle", authHandle);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OIAP, _responseParameters);
}
public override TPMCommandResponse Process()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf<uint>("counter_id"));
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters);
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OIAP);
requestBlob.WriteCmdSize();
_commandAuthHelper.EnsureFreeSlot();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader();
AuthHandleCore authHandle = new AuthHandleCore(AuthHandle.AuthType.OIAP, responseBlob);
_responseParameters = new Parameters();
_responseParameters.AddValue("auth_handle", authHandle);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OIAP, _responseParameters));
}
public override TPMCommandResponse Process()
{
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter);
requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf <uint>("counter_id"));
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters));
}
protected override TPMCommandResponse InternalProcess()
{
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter);
requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id"));
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters));
}
/// <summary>
/// Cryptographically reports the selected PCR values and returns
/// the TPMPCRComposite and the generated signature. If no
/// external data is supplied a random nonce is generated on the server.
/// The length of externalData is defined by the hashing algorithm used by the TPM
/// </summary>
/// <param name="pcrs"></param>
/// <param name="externalData">Nonce used for the quoting operation,
/// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value
/// with the correct length</param>
/// <returns></returns>
public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData)
{
Parameters quoteParameters = new Parameters();
quoteParameters.AddPrimitiveType("key", _keyIdentifier);
quoteParameters.AddValue("targetPCR", pcrs);
if (externalData != null)
{
quoteParameters.AddPrimitiveType("externalData", externalData);
}
TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters);
return(new QuoteResponse(response.Parameters.GetValueOf <TPMPCRComposite>("pcrData"),
response.Parameters.GetValueOf <byte[]>("sig")));
}
/// <summary>
/// Really destroys the auth handle on the tpm AND in the local cache
/// </summary>
/// <param name="item">
/// A <see cref="AuthHandleItem"/>
/// </param>
private void InternalDestroyHandle(AuthHandleItem item)
{
Parameters parameters = new Parameters();
parameters.AddValue("handle", item.AuthHandle);
parameters.AddPrimitiveType("ignore_tpm_error", true);
TPMCommandRequest destroyHandleRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, parameters);
TPMCommandResponse destroyHandleResponse = _tpmContext.TPM.Process(destroyHandleRequest);
if (!destroyHandleResponse.Status)
{
throw new TPMRequestException("Error on flushing auth handle context, aborting");
}
_logger.DebugFormat("Authhandles before remove: {0}", _authHandles);
InternalRemoveAuthHandle(item);
_logger.DebugFormat("Authhandles after remove: {0}", _authHandles);
}
protected override TPMCommandResponse InternalProcess()
{
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_secret, xorKey);
if (_secret.Length != 20)
{
throw new ArgumentException("secret needs to be 20 bytes long (SHA1 hash)");
}
if (_label.Length != 4)
{
throw new ArgumentException("Label needs to be 4 bytes long");
}
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateCounter);
requestBlob.Write(_secret, 0, 20);
requestBlob.Write(_label, 0, 4);
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters));
}
/// <summary>
/// Flushes all keys that belong to the specified context
/// </summary>
/// <param name="keyContext">context to check</param>
public void UnloadKeysOfContext(object keyContext)
{
using (AcquireLock())
{
List <KeyHandleItem> keysToRemove = new List <KeyHandleItem>();
foreach (KeyHandleItem item in _keyHandles)
{
if (item.KeyContext.Equals(keyContext))
{
keysToRemove.Add(item);
}
}
foreach (KeyHandleItem item in keysToRemove)
{
_keyHandles.RemoveKeyHandle(item);
//Flush the key
if (item.Status == KeyHandleItem.KeyHandleStatus.SwappedIn)
{
Parameters flushParams = new Parameters();
flushParams.AddValue("handle", item.KeyHandle);
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParams);
_tpmContext.TPM.Process(flushRequest);
}
//Flush the context
else if (item.Status == KeyHandleItem.KeyHandleStatus.SwappedOut)
{
Parameters flushParams = new Parameters();
flushParams.AddValue("handle", new ContextHandle(item.KeyHandle.ContextBlob));
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParams);
_tpmContext.TPM.Process(flushRequest);
}
}
}
}
public override TPMCommandResponse Process()
{
if(_params.IsDefined<ITPMHandle>("handle") == false ||
_params.IsDefined<byte[]>("context_blob") == false)
return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_LoadContext, new Parameters());
ITPMHandle handle = _params.GetValueOf<ITPMHandle>("handle");
TPMBlob blob = new TPMBlob();
blob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_LoadContext);
blob.WriteUInt32(handle.Handle);
blob.WriteBool(handle.ForceHandle);
blob.WriteUInt32((uint)handle.ContextBlob.Length);
blob.Write(handle.ContextBlob, 0, handle.ContextBlob.Length);
TPMBlob responseBlob = TransmitMe(blob);
responseBlob.SkipHeader();
handle.Handle = responseBlob.ReadUInt32();
Parameters responseParameters = new Parameters();
responseParameters.AddValue("handle", handle);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadContext, responseParameters);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_GetPubKey);
//If not loaded load now
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
//KeyHandle To be inserted later
requestBlob.WriteUInt32(0);
//Blocking authorize, blocks till the user has entered the authorization data
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
//Write key handle to the first position after the header
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPubkeyCore pubKey = TPMPubkeyCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddValue("pubkey", pubKey);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetPubKey, responseParams));
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf<string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters());
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf<string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf<TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_GetPubKey);
//If not loaded load now
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
//KeyHandle To be inserted later
requestBlob.WriteUInt32 (0);
//Blocking authorize, blocks till the user has entered the authorization data
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
//Write key handle to the first position after the header
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPubkeyCore pubKey = TPMPubkeyCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddValue("pubkey", pubKey);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetPubKey, responseParams);
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetCapability);
requestBlob.WriteUInt32((uint)_capArea);
switch (_capArea)
{
case CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL:
//Subcaps are ignored by TPM_CAP_VERSION_VAL
requestBlob.WriteUInt32(0);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE:
requestBlob.WriteUInt32(4);
requestBlob.WriteUInt32((uint)_param.GetValueOf <TPMResourceType> ("handle_type"));
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY:
CapabilityData.TPMSubCapProperty subCap = _param.GetValueOf <CapabilityData.TPMSubCapProperty> ("subCap");
//Size of subcap
requestBlob.WriteUInt32(4);
requestBlob.WriteUInt32((uint)subCap);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE:
CapabilityDataCore.TPMSelectSizeCore tpmSelectSize =
CapabilityDataCore.TPMSelectSizeCore.CreateVersion12(_param.GetValueOf <ushort>(CapabilityData.PARAM_PROP_SELECT_SIZE));
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, tpmSelectSize);
break;
default:
throw new NotSupportedException("Defined cap or subcap are not supported");
}
// if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL)
// {
// //Subcaps are ignored by TPM_CAP_VERSION_VAL
// requestBlob.WriteUInt32 (0);
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE)
// {
// requestBlob.WriteUInt32 (4);
// requestBlob.WriteUInt32 ((uint)_param.GetValueOf<TPMResourceType> ("handle_type"));
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY)
// {
// CapabilityData.TPMSubCapProperty subCap = _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap");
//
// //Size of subcap
// requestBlob.WriteUInt32 (4);
// requestBlob.WriteUInt32 ((uint)subCap);
// }
// else
// throw new NotSupportedException ("Defined cap or subcap are not supported");
requestBlob.WriteCmdSize();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader();
Parameters parameters = new Parameters();
switch (_capArea)
{
case CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL:
CapabilityDataCore.TPMCapVersionInfoCore tpmVersionInfo = new CapabilityDataCore.TPMCapVersionInfoCore(responseBlob);
parameters.AddValue(CapabilityData.PARAM_TPM_VERSION_INFO, tpmVersionInfo);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE:
responseBlob.SkipHeader();
//Reads the response size, which is ignored
responseBlob.ReadUInt32();
HandleListCore handleList = new HandleListCore(responseBlob, _param.GetValueOf <TPMResourceType> ("handle_type"));
parameters.AddValue("handles", handleList);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY:
responseBlob.SkipHeader();
switch (_param.GetValueOf <CapabilityData.TPMSubCapProperty> ("subCap"))
{
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_PCR, ReadUInt32Response(responseBlob));
break;
//case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_DIR:
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_DIR, ReadUInt32Response (responseBlob));
// break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MANUFACTURER:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_MANUFACTURER, ReadUInt32Response(responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_KEYS:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_KEYS, ReadUInt32Response(responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_MAX_AUTHSESS, ReadUInt32Response(responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_MAX_TRANSESS, ReadUInt32Response(responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_MAX_KEYS, ReadUInt32Response(responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_MAX_SESSIONS, ReadUInt32Response(responseBlob));
break;
default:
throw new NotSupportedException("Defined cap or subcap are not supported");
}
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, ReadBoolResponse(responseBlob));
break;
}
// if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL)
// {
// CapabilityDataCore.TPMCapVersionInfoCore tpmVersionInfo = new CapabilityDataCore.TPMCapVersionInfoCore (responseBlob);
// parameters.AddValue (CapabilityData.PARAM_TPM_VERSION_INFO, tpmVersionInfo);
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE)
// {
// responseBlob.SkipHeader ();
//
// //Reads the response size, which is ignored
// responseBlob.ReadUInt32 ();
//
// HandleListCore handleList = new HandleListCore (responseBlob, _param.GetValueOf<TPMResourceType> ("handle_type"));
// parameters.AddValue ("handles", handleList);
// }
//
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_PCR, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_AUTHSESS, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_TRANSESS, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_SESSIONS, ReadUInt32Response (responseBlob));
// }
// else
// throw new NotSupportedException("Defined cap or subcap are not supported");
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetCapability, parameters));
}
protected override TPMCommandResponse InternalProcess()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id"));
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters);
}
protected override TPMCommandResponse InternalProcess()
{
AuthHandle auth1OSAP =_commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_secret, xorKey);
if(_secret.Length != 20)
throw new ArgumentException("secret needs to be 20 bytes long (SHA1 hash)");
if(_label.Length != 4)
throw new ArgumentException("Label needs to be 4 bytes long");
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateCounter);
requestBlob.Write(_secret, 0, 20);
requestBlob.Write(_label, 0, 4);
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters);
}
/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if(authSeal.Hashed == false)
authSeal.Hash();
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return sealResponse.Parameters.GetValueOf<byte[]>("data");
}
finally
{
if(authSeal != null)
authSeal.ClearHash();
}
}
/// <summary>
/// Cryptographically reports the selected PCR values and returns
/// the TPMPCRComposite and the generated signature. If no
/// external data is supplied a random nonce is generated on the server.
/// The length of externalData is defined by the hashing algorithm used by the TPM
/// </summary>
/// <param name="pcrs"></param>
/// <param name="externalData">Nonce used for the quoting operation,
/// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value
/// with the correct length</param>
/// <returns></returns>
public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData)
{
Parameters quoteParameters = new Parameters();
quoteParameters.AddPrimitiveType("key", _keyIdentifier);
quoteParameters.AddValue("targetPCR", pcrs);
if(externalData != null)
quoteParameters.AddPrimitiveType("externalData", externalData);
TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters);
return new QuoteResponse(response.Parameters.GetValueOf<TPMPCRComposite>("pcrData"),
response.Parameters.GetValueOf<byte[]>("sig"));
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetCapability);
requestBlob.WriteUInt32 ((uint)_capArea);
switch(_capArea)
{
case CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL:
//Subcaps are ignored by TPM_CAP_VERSION_VAL
requestBlob.WriteUInt32 (0);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE:
requestBlob.WriteUInt32 (4);
requestBlob.WriteUInt32 ((uint)_param.GetValueOf<TPMResourceType> ("handle_type"));
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY:
CapabilityData.TPMSubCapProperty subCap = _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap");
//Size of subcap
requestBlob.WriteUInt32 (4);
requestBlob.WriteUInt32 ((uint)subCap);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE:
CapabilityDataCore.TPMSelectSizeCore tpmSelectSize =
CapabilityDataCore.TPMSelectSizeCore.CreateVersion12(_param.GetValueOf<ushort>(CapabilityData.PARAM_PROP_SELECT_SIZE));
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, tpmSelectSize);
break;
default:
throw new NotSupportedException ("Defined cap or subcap are not supported");
}
// if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL)
// {
// //Subcaps are ignored by TPM_CAP_VERSION_VAL
// requestBlob.WriteUInt32 (0);
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE)
// {
// requestBlob.WriteUInt32 (4);
// requestBlob.WriteUInt32 ((uint)_param.GetValueOf<TPMResourceType> ("handle_type"));
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY)
// {
// CapabilityData.TPMSubCapProperty subCap = _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap");
//
// //Size of subcap
// requestBlob.WriteUInt32 (4);
// requestBlob.WriteUInt32 ((uint)subCap);
// }
// else
// throw new NotSupportedException ("Defined cap or subcap are not supported");
requestBlob.WriteCmdSize ();
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader ();
Parameters parameters = new Parameters ();
switch(_capArea)
{
case CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL:
CapabilityDataCore.TPMCapVersionInfoCore tpmVersionInfo = new CapabilityDataCore.TPMCapVersionInfoCore (responseBlob);
parameters.AddValue (CapabilityData.PARAM_TPM_VERSION_INFO, tpmVersionInfo);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE:
responseBlob.SkipHeader ();
//Reads the response size, which is ignored
responseBlob.ReadUInt32 ();
HandleListCore handleList = new HandleListCore (responseBlob, _param.GetValueOf<TPMResourceType> ("handle_type"));
parameters.AddValue ("handles", handleList);
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY:
responseBlob.SkipHeader ();
switch(_param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap"))
{
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_PCR, ReadUInt32Response (responseBlob));
break;
//case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_DIR:
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_DIR, ReadUInt32Response (responseBlob));
// break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MANUFACTURER:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MANUFACTURER, ReadUInt32Response (responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_KEYS:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_KEYS, ReadUInt32Response (responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_AUTHSESS, ReadUInt32Response (responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_TRANSESS, ReadUInt32Response (responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_KEYS, ReadUInt32Response (responseBlob));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS:
parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_SESSIONS, ReadUInt32Response (responseBlob));
break;
default:
throw new NotSupportedException("Defined cap or subcap are not supported");
}
break;
case CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE:
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, ReadBoolResponse(responseBlob));
break;
}
// if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL)
// {
// CapabilityDataCore.TPMCapVersionInfoCore tpmVersionInfo = new CapabilityDataCore.TPMCapVersionInfoCore (responseBlob);
// parameters.AddValue (CapabilityData.PARAM_TPM_VERSION_INFO, tpmVersionInfo);
// }
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE)
// {
// responseBlob.SkipHeader ();
//
// //Reads the response size, which is ignored
// responseBlob.ReadUInt32 ();
//
// HandleListCore handleList = new HandleListCore (responseBlob, _param.GetValueOf<TPMResourceType> ("handle_type"));
// parameters.AddValue ("handles", handleList);
// }
//
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_PCR, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_AUTHSESS, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_TRANSESS, ReadUInt32Response (responseBlob));
// }
//
// else if (_capArea == CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY &&
// _param.GetValueOf<CapabilityData.TPMSubCapProperty> ("subCap") == CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS)
// {
// responseBlob.SkipHeader ();
// parameters.AddPrimitiveType (CapabilityData.PARAM_PROP_MAX_SESSIONS, ReadUInt32Response (responseBlob));
// }
// else
// throw new NotSupportedException("Defined cap or subcap are not supported");
return new TPMCommandResponse (true, TPMCommandNames.TPM_CMD_GetCapability, parameters);
}
public override TPMCommandResponse Process()
{
TPMEntityTypeLSB entityLSB = _params.GetValueOf <TPMEntityTypeLSB>("entity_lsb");
TPMEntityTypeMSB entityMSB = _params.GetValueOf <TPMEntityTypeMSB>("entity_msb");
string identifier = _params.GetValueOf <string>("entity_value");
if (entityLSB != TPMEntityTypeLSB.TPM_ET_KEYHANDLE &&
entityLSB != TPMEntityTypeLSB.TPM_ET_SRK &&
entityLSB != TPMEntityTypeLSB.TPM_ET_OWNER)
{
throw new ArgumentException("TPM_OSAP does currently not support entityType: " + entityLSB.ToString());
}
if (entityMSB != TPMEntityTypeMSB.TPM_ET_XOR)
{
throw new ArgumentException(string.Format("TPM_OSAP does currently not support '{0}' EncAuth encryption", entityMSB));
}
if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
//We now know that the current identifier is a key identifier (maybe srk, but then the value is ignored by TPM_OSAP).
//So we invoke the key manager to load the key with the specified identifier and establish an OSAP session
_keyManager.LoadKey(identifier);
}
//handle is not known yet
AuthHandle authHandle = new AuthHandle(AuthHandle.AuthType.OSAP, 0);
authHandle.EntityType = entityLSB;
authHandle.NewNonceOddOSAP();
using (_keyManager.AcquireLock())
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OSAP);
requestBlob.WriteUInt16((ushort)(((ushort)entityMSB << 8) | (ushort)entityLSB));
if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (identifier == KeyHandle.KEY_SRK)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_SRK;
}
else
{
KeyHandle keyHandle = _keyManager.IdentifierToHandle(identifier);
requestBlob.WriteUInt32(keyHandle.Handle);
authHandle.EntityValue = keyHandle.Handle;
}
}
else if (entityLSB == TPMEntityTypeLSB.TPM_ET_OWNER)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_OWNER);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_OWNER;
}
requestBlob.Write(authHandle.NonceOddOSAP, 0, authHandle.NonceOddOSAP.Length);
requestBlob.WriteCmdSize();
_commandAuthHelper.EnsureFreeSlot();
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
AuthHandleCore receivedAuthHandle = new AuthHandleCore(AuthHandle.AuthType.OSAP, _responseBlob);
authHandle.UpdateFromOtherAuthHandle(receivedAuthHandle);
_responseParameters = new Parameters();
_responseParameters.AddValue("auth_handle", authHandle);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OSAP, _responseParameters));
}
/// <summary>
/// Reads the configured tpm devices from the configuration and
/// sets up the corresponding tpm contexts
/// </summary>
private void SetupTPMContexts()
{
IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection ("connections");
foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices)
{
try
{
_logger.InfoFormat ("Setting up tpm context '{0}'", device.TPMName);
TPMWrapper tpmDevice = new TPMWrapper ();
tpmDevice.Init (device.TPMType, device.Parameters);
TPMContext tpmContext = new TPMContext (device.TPMName, tpmDevice);
_tpmContexts.Add (device.TPMName, tpmContext);
_logger.InfoFormat ("Flushing device '{0}'", device.TPMName);
foreach (TPMResourceType resourceType in new TPMResourceType[] {
TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY})
{
Parameters listLoadedHandlesParameters = new Parameters ();
listLoadedHandlesParameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listLoadedHandlesParameters.AddPrimitiveType ("handle_type", resourceType);
TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_GetCapability,
listLoadedHandlesParameters);
TPMCommandResponse response = tpmDevice.Process (listLoadedHandlesRequest);
if (response.Status == false)
throw new Exception ("An unknown tpm exception while flushing occured");
foreach (uint handle in response.Parameters.GetValueOf<HandleList> ("handles"))
{
Parameters flushParameters = new Parameters ();
flushParameters.AddValue ("handle", HandleFactory.Create (resourceType, handle));
TPMCommandRequest flushRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters);
TPMCommandResponse flushResponse = tpmDevice.Process (flushRequest);
if (flushResponse.Status == false)
throw new Exception ("Something went wrong while flushing");
}
}
_logger.InfoFormat ("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType);
}
catch (Exception ex)
{
_logger.FatalFormat ("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex);
}
///Set the Assembly search order for incoming Parameters so that core classes are always at first
Parameters.AssemblySearchOrder = new Assembly[]{
typeof(TPMWrapper).Assembly, //lib core
typeof(ITypedParameter).Assembly}; //lib common
}
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()));
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams));
}
public override TPMCommandResponse Process()
{
TPMEntityTypeLSB entityLSB = _params.GetValueOf<TPMEntityTypeLSB>("entity_lsb");
TPMEntityTypeMSB entityMSB = _params.GetValueOf<TPMEntityTypeMSB>("entity_msb");
string identifier = _params.GetValueOf<string>("entity_value");
if( entityLSB != TPMEntityTypeLSB.TPM_ET_KEYHANDLE &&
entityLSB != TPMEntityTypeLSB.TPM_ET_SRK &&
entityLSB != TPMEntityTypeLSB.TPM_ET_OWNER)
{
throw new ArgumentException("TPM_OSAP does currently not support entityType: " + entityLSB.ToString());
}
if(entityMSB != TPMEntityTypeMSB.TPM_ET_XOR)
{
throw new ArgumentException(string.Format("TPM_OSAP does currently not support '{0}' EncAuth encryption", entityMSB));
}
if(entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
//We now know that the current identifier is a key identifier (maybe srk, but then the value is ignored by TPM_OSAP).
//So we invoke the key manager to load the key with the specified identifier and establish an OSAP session
_keyManager.LoadKey(identifier);
}
//handle is not known yet
AuthHandle authHandle = new AuthHandle(AuthHandle.AuthType.OSAP, 0);
authHandle.EntityType = entityLSB;
authHandle.NewNonceOddOSAP();
using(_keyManager.AcquireLock())
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OSAP);
requestBlob.WriteUInt16((ushort)(((ushort)entityMSB << 8) | (ushort)entityLSB));
if(entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (identifier == KeyHandle.KEY_SRK)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_SRK;
}
else
{
KeyHandle keyHandle = _keyManager.IdentifierToHandle(identifier);
requestBlob.WriteUInt32(keyHandle.Handle);
authHandle.EntityValue = keyHandle.Handle;
}
}
else if(entityLSB == TPMEntityTypeLSB.TPM_ET_OWNER)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_OWNER);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_OWNER;
}
requestBlob.Write(authHandle.NonceOddOSAP, 0, authHandle.NonceOddOSAP.Length);
requestBlob.WriteCmdSize();
_commandAuthHelper.EnsureFreeSlot();
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
AuthHandleCore receivedAuthHandle = new AuthHandleCore(AuthHandle.AuthType.OSAP, _responseBlob);
authHandle.UpdateFromOtherAuthHandle(receivedAuthHandle);
_responseParameters = new Parameters();
_responseParameters.AddValue("auth_handle", authHandle);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OSAP, _responseParameters);
}
