/// <summary>
/// Signs the data using the Hardware Security Module.
/// </summary>
/// <param name="data">The data to be signed.</param>
/// <returns>The signed data.</returns>
public override byte[] Sign(byte[] data)
{
byte[] result = Array.Empty <byte>();
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE);
int dataIndex = 0;
byte[] iterationBuffer;
if (data.Length <= 1024)
{
result = _tpm2.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256);
}
else
{
// Start the HMAC sequence.
TpmHandle hmacHandle = _tpm2.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256);
while (data.Length > dataIndex + 1024)
{
// Repeat to update the HMAC until we only have <=1024 bytes left.
iterationBuffer = new Byte[1024];
Array.Copy(data, dataIndex, iterationBuffer, 0, 1024);
_tpm2.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Finalize the HMAC with the remainder of the data.
iterationBuffer = new Byte[data.Length - dataIndex];
Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex);
result = _tpm2.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk);
}
return(result);
}
/// <summary>
/// Signs the data using the previously activated identity key.
/// </summary>
/// <remarks>
/// Calls to the TPM library can potentially return a <see cref="TssException"/> or a <see cref="TpmException"/>
/// if your TPM hardware does not support the relevant API call.
/// </remarks>
/// <param name="data">The data to be signed.</param>
/// <returns>The signed data.</returns>
public override byte[] Sign(byte[] data)
{
if (Logging.IsEnabled)
{
Logging.Enter(this, null, nameof(Sign));
}
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
byte[] result = Array.Empty <byte>();
var hmacKeyHandle = new TpmHandle(AiothPersistedKeyHandle);
int dataIndex = 0;
byte[] iterationBuffer;
const int maxBufferLength = 1024;
if (data.Length <= maxBufferLength)
{
result = _tpm2.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256);
}
else
{
// Start the HMAC sequence.
TpmHandle hmacHandle = _tpm2.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256);
while (data.Length > dataIndex + maxBufferLength)
{
// Repeat to update the HMAC until we only have <=1024 bytes left.
iterationBuffer = new byte[maxBufferLength];
Array.Copy(data, dataIndex, iterationBuffer, 0, maxBufferLength);
_tpm2.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += maxBufferLength;
}
// Finalize the HMAC with the remainder of the data.
iterationBuffer = new byte[data.Length - dataIndex];
Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex);
result = _tpm2.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk);
}
if (Logging.IsEnabled)
{
Logging.Exit(this, null, nameof(Sign));
}
return(result);
}
/// <summary>
/// Sign data using the key stored in the TPM. The signing is done inside the TPM to avoid exposing the key.
/// This is similar to using <see cref="System.Security.Cryptography.SHA256CryptoServiceProvider"/> which
/// uses <see cref="System.Security.Cryptography.HMACSHA256"/> inside.
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
public byte[] Sign(byte[] data)
{
TpmHandle hmacKeyHandle = new TpmHandle(PERSISTED_KEY_HANDLE + logicalDeviceId);
int dataIndex = 0;
byte[] iterationBuffer, result = Array.Empty <byte>();
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
using (var tpm = new Tpm2(tpmDevice))
{
if (data.Length <= 1024)
{
// Calculate the HMAC in one shot
result = tpm.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256);
}
else
{
// Start the HMAC sequence
TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256);
while (data.Length > dataIndex + 1024)
{
// Repeat to update the hmac until we only hace <=1024 bytes left
iterationBuffer = new byte[1024];
Array.Copy(data, dataIndex, iterationBuffer, 0, 1024);
tpm.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Finalize the hmac with the remainder of the data
iterationBuffer = new byte[data.Length - dataIndex];
Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex);
result = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk);
}
}
}
catch { }
return(result);
}
public Byte[] SignHmac(Byte[] dataToSign)
{
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
int dataIndex = 0;
Byte[] iterationBuffer;
Byte[] hmac = { };
if (dataToSign.Length <= 1024)
{
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Calculate the HMAC in one shot
hmac = tpm.Hmac(hmacKeyHandle, dataToSign, TpmAlgId.Sha256);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
else
{
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Start the HMAC sequence
Byte[] hmacAuth = new byte[0];
TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256);
while (dataToSign.Length > dataIndex + 1024)
{
// Repeat to update the hmac until we only hace <=1024 bytes left
iterationBuffer = new Byte[1024];
Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, 1024);
tpm.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Finalize the hmac with the remainder of the data
iterationBuffer = new Byte[dataToSign.Length - dataIndex];
Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, dataToSign.Length - dataIndex);
TkHashcheck nullChk;
hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out nullChk);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
return(hmac);
}
/// <summary>
/// Funzione per la firma HMAC tramite TPM
/// </summary>
/// <param name="dataToAuth"></param>
/// <returns></returns>
public static Byte[] CalculateHmac(Byte[] dataToAuth)
{
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
int dataIndex = 0;
Byte[] iterationBuffer;
Byte[] hmac = { };
// Se i valori da firmare sono < 1024 byte
if (dataToAuth.Length <= 1024)
{
try
{
// Apertura del TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Calcolo dell'HMAC tramite la funzione salvata in precedenza
hmac = tpm.Hmac(hmacKeyHandle, dataToAuth, TpmAlgId.Sha256);
// Dispose del TPM
tpm.Dispose();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
return(hmac);
}
}
else
{
try
{
// Apertura del TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Inizio della sequenza HMAC
Byte[] hmacAuth = new byte[0];
TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256);
// ciclo su tutti i dati da firmare a blocchi da 1024 byte
while (dataToAuth.Length > dataIndex + 1024)
{
// Repeat to update the hmac until we only hace <=1024 bytes left
iterationBuffer = new Byte[1024];
Array.Copy(dataToAuth, dataIndex, iterationBuffer, 0, 1024);
// Caricamento dei dati nel tpm (calcolo parziale)
tpm.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Caricamento della parte finale
iterationBuffer = new Byte[dataToAuth.Length - dataIndex];
Array.Copy(dataToAuth, dataIndex, iterationBuffer,
0, dataToAuth.Length - dataIndex);
TkHashcheck nullChk;
// Si finalizza l'HMAC con l'ultima parte dei dati
hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer,
TpmHandle.RhNull, out nullChk);
// Dispose del TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
return(hmac);
}
