private Create ( |
||
parentHandle | ||
inSensitive | ||
inPublic | byte | |
outsideInfo | byte | |
creationPCR | ||
outPublic | [ | |
creationData | [ | |
creationHash | [ | |
creationTicket | [ | |
return |
/// <summary> /// Creates a child of the given storage key, which can be used both for signing and decryption. /// Illustrates strict mode effect on automatic authorization handling. /// </summary> /// <returns>Handle of the created key.</returns> static TpmHandle CreateSigningDecryptionKey(Tpm2 tpm, TpmHandle primHandle, out TpmPublic keyPublic) { TpmPublic keyInPublic = new TpmPublic( TpmAlgId.Sha1, ObjectAttr.Decrypt | ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM | ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin, new byte[0], new RsaParms( new SymDefObject(), new NullAsymScheme(), 2048, 0), new Tpm2bPublicKeyRsa()); SensitiveCreate sensCreate = new SensitiveCreate(new byte[] {1, 2, 3}, new byte[0]); CreationData keyCreationData; TkCreation creationTicket; byte[] creationHash; Console.WriteLine("Automatic authorization of a primary storage key."); // // An auth session is added automatically to authorize access to primHandle. // TpmPrivate keyPrivate = tpm.Create(primHandle, sensCreate, keyInPublic, new byte[0], new PcrSelection[0], out keyPublic, out keyCreationData, out creationHash, out creationTicket); TpmHandle keyHandle = null; Console.WriteLine("Strict mode."); // // Switch TPM object to the strict mode. (Note that this is a TSS.Net // specific piece of functionality, not a part of TPM 2.0 specification). // tpm._Behavior.Strict = true; // // No auth session is added automatically when TPM object is in strict mode. // tpm._ExpectError(TpmRc.AuthMissing) .Load(primHandle, keyPrivate, keyPublic); // // Now explicitly request an auth session of a desired type. // The actual auth value will be supplied by TSS.Net implicitly. // keyHandle = tpm[Auth.Default].Load(primHandle, keyPrivate, keyPublic); // // Switch TPM object back to the normal mode. // tpm._Behavior.Strict = false; Console.WriteLine("Signing decryption key created."); return keyHandle; }
public void Provision(string encodedHmacKey, string hostName, string deviceId = "") { TpmHandle nvHandle = new TpmHandle(AIOTH_PERSISTED_URI_INDEX + logicalDeviceId); TpmHandle ownerHandle = new TpmHandle(TpmRh.Owner); TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId); TpmHandle srkHandle = new TpmHandle(SRK_HANDLE); UTF8Encoding utf8 = new UTF8Encoding(); byte[] nvData = utf8.GetBytes(hostName + "/" + deviceId); byte[] hmacKey = System.Convert.FromBase64String(encodedHmacKey); // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Define the store tpm.NvDefineSpace(ownerHandle, new byte[0], new NvPublic(nvHandle, TpmAlgId.Sha256, NvAttr.Authwrite | NvAttr.Authread | NvAttr.NoDa, new byte[0], (ushort)nvData.Length)); // Write the store tpm.NvWrite(nvHandle, nvHandle, nvData, 0); // Import the HMAC key under the SRK TpmPublic hmacPub; CreationData creationData; byte[] creationhash; TkCreation ticket; TpmPrivate hmacPrv = tpm.Create(srkHandle, new SensitiveCreate(new byte[0], hmacKey), new TpmPublic(TpmAlgId.Sha256, ObjectAttr.UserWithAuth | ObjectAttr.NoDA | ObjectAttr.Sign, new byte[0], new KeyedhashParms(new SchemeHmac(TpmAlgId.Sha256)), new Tpm2bDigestKeyedhash()), new byte[0], new PcrSelection[0], out hmacPub, out creationData, out creationhash, out ticket); // Load the HMAC key into the TPM TpmHandle loadedHmacKey = tpm.Load(srkHandle, hmacPrv, hmacPub); // Persist the key in NV tpm.EvictControl(ownerHandle, loadedHmacKey, hmacKeyHandle); // Unload the transient copy from the TPM tpm.FlushContext(loadedHmacKey); }