protected override TPMCommandResponse InternalProcess()
{
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_UnBind);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint dataSize = _responseBlob.ReadUInt32();
byte[] responseData = new byte[dataSize];
_responseBlob.Read(responseData, 0, responseData.Length);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", responseData);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Unbind, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf<string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters());
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf<string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf<TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_usageAuth = _params.GetValueOf<byte[]> ("usage_auth");
_migrationAuth = _params.GetValueOf<byte[]> ("migration_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_usageAuth, xorKey);
ByteHelper.XORBytes(_migrationAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("parent"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey);
//parent key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_usageAuth, 0, 20);
requestBlob.Write(_migrationAuth, 0, 20);
_tpmKey.WriteToTpmBlob(requestBlob);
using(_keyManager.AcquireLock())
{
AuthorizeMe(requestBlob);
requestBlob.SkipHeader();
if(_params.GetValueOf<string>("parent") == KeyHandle.KEY_SRK)
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
else
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMKeyCore newKey = new TPMKeyCore(_responseBlob);
_responseParameters = new Parameters();
//Build and save the key identifier
//The key identifier is the hex-string representation of the hash of the newly created key
_responseParameters.AddPrimitiveType("key_identifier",
ByteHelper.ByteArrayToHexString(
new HashProvider().Hash(
new HashByteDataProvider(
ByteHelper.SerializeToBytes(newKey)
)
),
""));
_responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_encAuth = _params.GetValueOf<byte[]> ("data_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_encAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_encAuth, 0, 20);
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_LoadKey2);
//If not loaded load now
if(_params.GetValueOf<bool>("parent_key_srk") == false)
_keyManager.LoadKey(_params.GetValueOf<string>("parent_identifier"));
//To be inserted later
requestBlob.WriteUInt32 (0);
_tpmKey.WriteToTpmBlob(requestBlob);
//Blocking authorize, blocks till the user has entered the authorization data
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
_keyManager.EnsureFreeSlot();
uint tpmKeyHandle;
if(_params.GetValueOf<bool>("parent_key_srk"))
tpmKeyHandle = (uint)TPMKeyHandles.TPM_KH_SRK;
else
tpmKeyHandle = _keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent_identifier")).Handle;
//Write key handle to the first position after the header
requestBlob.SkipHeader();
requestBlob.WriteUInt32(tpmKeyHandle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint loadedTpmHandle = _responseBlob.ReadUInt32();
KeyHandle loadedHandle = new KeyHandle(_params.GetValueOf<string>("key_identifier"), loadedTpmHandle);
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("handle", loadedHandle);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadKey2, _responseParameters);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_GetPubKey);
//If not loaded load now
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
//KeyHandle To be inserted later
requestBlob.WriteUInt32 (0);
//Blocking authorize, blocks till the user has entered the authorization data
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
//Write key handle to the first position after the header
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPubkeyCore pubKey = TPMPubkeyCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddValue("pubkey", pubKey);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetPubKey, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
string key = _params.GetValueOf<string>("key");
_keyManager.LoadKey(key);
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key));
if(keyInfo == null)
throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key));
byte[] areaToSign = null;
if(keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1)
{
//Client has hopefully put data in the right format ready for the tpm to process
if(_params.IsDefined<byte[]>("areaToSign"))
areaToSign = _params.GetValueOf<byte[]>("areaToSign");
//Client just sends data, tpm lib cares about the right, signature dependent, processing
else if(_params.IsDefined<byte[]>("data"))
{
byte[] data = _params.GetValueOf<byte[]>("data");
areaToSign = new HashProvider().Hash(new HashByteDataProvider(data));
}
if(areaToSign.Length != 20)
{
throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme));
}
}
else
throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.WriteUInt32((uint)areaToSign.Length);
requestBlob.Write(areaToSign, 0, areaToSign.Length);
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("sig", signature);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams);
}
