public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper)
{
base.Init(param, tpmProvider, tpmWrapper);
_digest = null;
_tpmKey = TPMKeyCore.CreateFromBytes(param.GetValueOf <byte[]>("key_blob"));
}
/// <summary>
/// Retrieves informations about keys
/// </summary>
/// <param name="subsystem"></param>
/// <param name="requestContext"></param>
private void HandleKeyInfoRequest(TPMSubsystem subsystem, RequestContext <KeyInfoRequest, KeyInfoResponse> requestContext)
{
TPMContext tpmContext;
KeyInfoResponse response;
lock (_selectedTPMs)
{
if (_selectedTPMs.ContainsKey(requestContext.Request.TPMIdentifier) == false)
{
response = requestContext.CreateResponse();
response.Succeeded = false;
response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.TPMIdentifierNotValid);
response.Execute();
return;
}
tpmContext = _selectedTPMs[requestContext.Request.TPMIdentifier];
}
if (!AssertUserAuthentication("key_info_" + _selectedTPMs[requestContext.Request.TPMIdentifier].DeviceName, requestContext.CreateResponse()))
{
return;
}
KeyManagerHelper keyManagerHelper = new KeyManagerHelper(ServerContext, tpmContext, requestContext.Request.TPMIdentifier,
new CommandAuthorizationHelper(ServerContext, requestContext.Request.TPMIdentifier, tpmContext));
if (keyManagerHelper.ContainsIdentifier(requestContext.Request.KeyIdentifier) == false)
{
response = requestContext.CreateResponse();
response.Succeeded = false;
response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.NotAValidKeyIdentifier);
response.Execute();
return;
}
byte[] keyBlob = keyManagerHelper.GetKeyBlob(requestContext.Request.KeyIdentifier);
response = requestContext.CreateResponse();
response.Succeeded = true;
response.TPMKey = TPMKeyCore.CreateFromBytes(keyBlob);
response.Execute();
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()));
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams));
}
protected override TPMCommandResponse InternalProcess()
{
string key = _params.GetValueOf <string>("key");
_keyManager.LoadKey(key);
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key));
if (keyInfo == null)
{
throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key));
}
byte[] areaToSign = null;
if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1)
{
//Client has hopefully put data in the right format ready for the tpm to process
if (_params.IsDefined <byte[]>("areaToSign"))
{
areaToSign = _params.GetValueOf <byte[]>("areaToSign");
}
//Client just sends data, tpm lib cares about the right, signature dependent, processing
else if (_params.IsDefined <byte[]>("data"))
{
byte[] data = _params.GetValueOf <byte[]>("data");
areaToSign = new HashProvider().Hash(new HashByteDataProvider(data));
}
if (areaToSign.Length != 20)
{
throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme));
}
}
else
{
throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId));
}
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.WriteUInt32((uint)areaToSign.Length);
requestBlob.Write(areaToSign, 0, areaToSign.Length);
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("sig", signature);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams));
}