/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(KeyHandleItem item)
{
if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid key handle state for swap in operation");
}
if (AvailableKeySlots <= LoadedKeys)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.KeyHandle);
swapInParameters.AddPrimitiveType("context_blob", item.KeyHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Keymanager: Unknown error while swap in operation");
}
item.KeyHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
}
/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if (authSeal.Hashed == false)
{
authSeal.Hash();
}
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return(sealResponse.Parameters.GetValueOf <byte[]>("data"));
}
finally
{
if (authSeal != null)
{
authSeal.ClearHash();
}
}
}
/// <summary>
/// Performs the actual swap-out operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedOut(AuthHandleItem item)
{
if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedIn)
{
throw new ArgumentException("Invalid auth handle state for swap out operation");
}
using (new LockContext(_authHandles, "AuthHandleManager::SwappedOut"))
{
Parameters swapOutParameters = new Parameters();
swapOutParameters.AddValue("handle", item.AuthHandle);
TPMCommandRequest swapOutRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_SaveContext, swapOutParameters);
TPMCommandResponse swapOutResponse = _tpmContext.TPM.Process(swapOutRequest);
if (swapOutResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out operation");
}
item.Status = AuthHandleItem.AuthHandleStatus.SwappedOut;
item.AuthHandle.ContextBlob = swapOutResponse.Parameters.GetValueOf <byte[]>("context_blob");
}
}
/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(AuthHandleItem item)
{
//uint oldHandle = item.AuthHandle.Handle;
if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid auth handle state for swap in operation");
}
using (new LockContext(_authHandles, "AuthHandleManager::SwappedIn"))
{
if (AvailableSessionSlots <= LoadedSessions)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.AuthHandle);
swapInParameters.AddPrimitiveType("context_blob", item.AuthHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap in operation");
}
item.AuthHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
item.Status = AuthHandleItem.AuthHandleStatus.SwappedIn;
}
}
/// <summary>
/// Performs the actual swap-out operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedOut(KeyHandleItem item)
{
if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedIn)
{
throw new ArgumentException("Invalid auth handle state for swap out operation");
}
Parameters swapOutParameters = new Parameters();
swapOutParameters.AddValue("handle", item.KeyHandle);
TPMCommandRequest swapOutRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_SaveContext, swapOutParameters);
TPMCommandResponse swapOutResponse = _tpmContext.TPM.Process(swapOutRequest);
if (swapOutResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out operation");
}
//For key handles the tpm does not release the memory after save context
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, swapOutParameters);
TPMCommandResponse flushResponse = _tpmContext.TPM.Process(flushRequest);
if (flushResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap out (flush) operation");
}
item.Status = KeyHandleItem.KeyHandleStatus.SwappedOut;
item.KeyHandle.ContextBlob = swapOutResponse.Parameters.GetValueOf <byte[]>("context_blob");
}
private static AuthHandle EstablishOIAP(TPMWrapper tpm)
{
ILog log = LogManager.GetLogger("EstablishOIAP");
for (int i = 0; i < 2; i++)
{
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse response = tpm.Process(request);
AuthHandle myAuthHandle = response.Parameters.GetValueOf <AuthHandle> ("auth_handle");
// Parameters parameters = new Parameters ();
// parameters.AddValue ("handle", myAuthHandle);
// TPMCommandRequest requestFlush = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FLUSH_SPECIFIC, parameters);
// tpm.Process (requestFlush);
//return myAuthHandle;
}
Parameters listHandlesParameters = new Parameters();
listHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listHandlesParameters.AddPrimitiveType("handle_type", TPMResourceType.TPM_RT_AUTH);
TPMCommandRequest listHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listHandlesParameters);
TPMCommandResponse listHandlesResponse = tpm.Process(listHandlesRequest);
HandleList loadedKeyHandles = listHandlesResponse.Parameters.GetValueOf <HandleList> ("handles");
return(null);
}
private static void ReadPCRs(TPMWrapper tpm)
{
uint i = 0;
ILog log = LogManager.GetLogger("ReadPCRs");
Parameters param = new Parameters();
param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
param.AddPrimitiveType("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR);
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param);
TPMCommandResponse response = tpm.Process(request);
uint maxPcrs = response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR);
for (i = 0; i < maxPcrs; ++i)
{
param = new Parameters();
param.AddPrimitiveType("pcrnum", i);
TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, param);
TPMCommandResponse resp = tpm.Process(req);
byte[] val = resp.Parameters.GetValueOf <byte[]>("value");
log.InfoFormat("Answer for PCR {0} is: 0x{1}", resp.Parameters.GetValueOf <UInt32>("pcrnum"),
ByteHelper.ByteArrayToHexString(val));
}
// TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, null);
// TPMCommand com = TPMCommandFactory.Create(req);
// com.Init(param, tpm);
// com.Process();
//Console.WriteLine ("Hello World!");
}
/// <summary>
/// Reads the configured tpm devices from the configuration and
/// sets up the corresponding tpm contexts
/// </summary>
private void SetupTPMContexts()
{
IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection("connections");
foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices)
{
try
{
_logger.InfoFormat("Setting up tpm context '{0}'", device.TPMName);
TPMWrapper tpmDevice = new TPMWrapper();
tpmDevice.Init(device.TPMType, device.Parameters);
TPMContext tpmContext = new TPMContext(device.TPMName, tpmDevice);
_tpmContexts.Add(device.TPMName, tpmContext);
_logger.InfoFormat("Flushing device '{0}'", device.TPMName);
foreach (TPMResourceType resourceType in new TPMResourceType[] {
TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY
})
{
Parameters listLoadedHandlesParameters = new Parameters();
listLoadedHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listLoadedHandlesParameters.AddPrimitiveType("handle_type", resourceType);
TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability,
listLoadedHandlesParameters);
TPMCommandResponse response = tpmDevice.Process(listLoadedHandlesRequest);
if (response.Status == false)
{
throw new Exception("An unknown tpm exception while flushing occured");
}
foreach (uint handle in response.Parameters.GetValueOf <HandleList> ("handles"))
{
Parameters flushParameters = new Parameters();
flushParameters.AddValue("handle", HandleFactory.Create(resourceType, handle));
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters);
TPMCommandResponse flushResponse = tpmDevice.Process(flushRequest);
if (flushResponse.Status == false)
{
throw new Exception("Something went wrong while flushing");
}
}
}
_logger.InfoFormat("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType);
}
catch (Exception ex)
{
_logger.FatalFormat("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex);
}
///Set the Assembly search order for incoming Parameters so that core classes are always at first
Parameters.AssemblySearchOrder = new Assembly[] {
typeof(TPMWrapper).Assembly, //lib core
typeof(ITypedParameter).Assembly
}; //lib common
}
}
public override void Read(Stream src)
{
base.Read(src);
if (Succeeded)
{
_commandResponse = new TPMCommandResponse(src);
}
}
/// <summary>
/// Unbinds the specified data, the encrypted data needs to be
/// of type TPMBoundData
/// </summary>
/// <param name="data"></param>
/// <returns>Returns the decrypted data</returns>
public byte[] Unbind(byte[] data)
{
Parameters paramsUnbind = new Parameters();
paramsUnbind.AddPrimitiveType("in_data", data);
paramsUnbind.AddPrimitiveType("key", _keyIdentifier);
TPMCommandResponse unbindResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unbind, paramsUnbind);
return(unbindResponse.Parameters.GetValueOf <byte[]>("data"));
}
private TPMCommandResponse BuildDoVerifyRequest(string commandIdentifier, Parameters parameters)
{
TPMCommandRequest versionRequest = new TPMCommandRequest(commandIdentifier, parameters);
TPMCommandResponse response = _tpmSession.DoTPMCommandRequest(versionRequest);
if (response.Status == false)
{
throw new TPMRequestException("An unknown tpm error occured");
}
return(response);
}
private static void ReadCapabilities(TPMWrapper tpm)
{
ILog log = LogManager.GetLogger("ReadCapabilities");
// Read out each capability property
foreach (CapabilityData.TPMSubCapProperty subCap in Enum.GetValues(typeof(CapabilityData.TPMSubCapProperty)))
{
Parameters param = new Parameters();
param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
param.AddPrimitiveType("subCap", subCap);
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param);
TPMCommandResponse response = tpm.Process(request);
switch (subCap)
{
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR:
log.InfoFormat("Number of PCRs is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR));
break;
//case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_DIR:
// log.InfoFormat("Number of DIR is {0} and should be 1 because command is deprecated", response.Parameters.GetValueOf<uint>(CapabilityData.PARAM_PROP_DIR));
// break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MANUFACTURER:
log.InfoFormat("Manufacturer ID is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MANUFACTURER));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_KEYS:
log.InfoFormat("Number of free keyslots is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_KEYS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS:
log.InfoFormat("Number of max Auth Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_AUTHSESS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS:
log.InfoFormat("Number of max Trans Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_TRANSESS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS:
log.InfoFormat("Number of max keys (without EK and SRK) is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_KEYS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS:
log.InfoFormat("Number of max Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_SESSIONS));
break;
default:
throw new NotSupportedException("Defined cap or subcap are not supported");
}
}
}
/// <summary>
/// Unseals the specified data
/// </summary>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Unseal(byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
TPMCommandResponse unsealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unseal, paramsSeal);
return(unsealResponse.Parameters.GetValueOf <byte[]>("data"));
}
/// <summary>
/// Cryptographically reports the selected PCR values and returns
/// the TPMPCRComposite and the generated signature. If no
/// external data is supplied a random nonce is generated on the server.
/// The length of externalData is defined by the hashing algorithm used by the TPM
/// </summary>
/// <param name="pcrs"></param>
/// <param name="externalData">Nonce used for the quoting operation,
/// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value
/// with the correct length</param>
/// <returns></returns>
public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData)
{
Parameters quoteParameters = new Parameters();
quoteParameters.AddPrimitiveType("key", _keyIdentifier);
quoteParameters.AddValue("targetPCR", pcrs);
if (externalData != null)
{
quoteParameters.AddPrimitiveType("externalData", externalData);
}
TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters);
return(new QuoteResponse(response.Parameters.GetValueOf <TPMPCRComposite>("pcrData"),
response.Parameters.GetValueOf <byte[]>("sig")));
}
/// <summary>
/// Really destroys the auth handle on the tpm AND in the local cache
/// </summary>
/// <param name="item">
/// A <see cref="AuthHandleItem"/>
/// </param>
private void InternalDestroyHandle(AuthHandleItem item)
{
Parameters parameters = new Parameters();
parameters.AddValue("handle", item.AuthHandle);
parameters.AddPrimitiveType("ignore_tpm_error", true);
TPMCommandRequest destroyHandleRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, parameters);
TPMCommandResponse destroyHandleResponse = _tpmContext.TPM.Process(destroyHandleRequest);
if (!destroyHandleResponse.Status)
{
throw new TPMRequestException("Error on flushing auth handle context, aborting");
}
_logger.DebugFormat("Authhandles before remove: {0}", _authHandles);
InternalRemoveAuthHandle(item);
_logger.DebugFormat("Authhandles after remove: {0}", _authHandles);
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_PcrRead);
requestBlob.WriteUInt32((uint)_register);
requestBlob.WriteCmdSize();
TPMBlob responseBlob = TransmitMe(requestBlob);
Parameters responseParam = new Parameters();
byte[] val = responseBlob.ReadBytes(20);
responseParam.AddPrimitiveType("pcrnum", _register);
responseParam.AddPrimitiveType("value", val);
TPMCommandResponse response = new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_PCRRead, responseParam);
return(response);
}
public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper)
{
base.Init(param, tpmProvider, tpmWrapper);
_digest = null;
_responseDigest = null;
_inData = param.GetValueOf <byte[]>("in_data");
_pcrInfo = new TPMPCRInfoCore(new TPMPCRSelectionCore(param.GetValueOf <TPMPCRSelection>("pcr_selection")));
_pcrInfo.CalculateDigests((TPMPCRInfoCore.GetPCRValueDelegate) delegate(uint pcrNum)
{
//TODO: Use TPM_Quote to determine pcr values once it's available
Parameters pcrParams = new Parameters();
pcrParams.AddPrimitiveType("pcrnum", pcrNum);
TPMCommandResponse pcrResponse = _tpmWrapper.Process(new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams));
if (!pcrResponse.Status)
{
throw new TPMResponseException("An unknown error occured on performing pcrread");
}
return(pcrResponse.Parameters.GetValueOf <byte[]>("value"));
});
}
/// <summary>
/// Recursivly loads the specified key hierachy and returns the identifier of the parent key
/// </summary>
/// <param name="identifier">identifier of the key whos parent should be loaded</param>
/// <param name="keyContext"></param>
/// <param name="keystore"></param>
/// <returns></returns>
private string InternalLoadKey(string identifier, object keyContext, IKeyManagerHelper keymanagerHelper, ICommandAuthorizationHelper commandAuthHelper)
{
if (identifier == KeyHandle.KEY_SRK)
{
return(null);
}
//SRK
if (identifier == null)
{
return(null);
}
if (keymanagerHelper.ContainsIdentifier(identifier) == false)
{
throw new ArgumentException(string.Format("Keystore does not contain key with identifier: '{0}'", identifier));
}
bool reloadKey = true;
KeyHandleItem keyHandleItem = null;
while (reloadKey)
{
using (AcquireLock())
{
keyHandleItem = _keyHandles.FindKeyHandleItem(identifier, keyContext);
if (keyHandleItem == null)
{
//If no key handle with such an identifier exists, add a NotLoaded entry,
//so other threads can wait for that handle to become ready
_keyHandles.AddKeyHandle(new KeyHandleItem(new KeyHandle(identifier, 0),
KeyHandleItem.KeyHandleStatus.NotLoaded, keyContext));
}
}
reloadKey = false;
//The key is currently being loaded, wait till the loading process has finished/or failed
if (keyHandleItem != null && keyHandleItem.Status == KeyHandleItem.KeyHandleStatus.NotLoaded)
{
keyHandleItem.LoadedEvt.WaitOne();
reloadKey = true;
}
}
//Key is already loaded/swaped out
if (keyHandleItem != null)
{
IdentifierToHandle(identifier, keyContext, keymanagerHelper);
return(identifier);
}
string parentKey = keymanagerHelper.FindParentKey(identifier);
InternalLoadKey(parentKey, keyContext, keymanagerHelper, commandAuthHelper);
Parameters paramLoadKey = new Parameters();
// Load the key
//SRK
if (parentKey == null || parentKey == KeyHandle.KEY_SRK)
{
paramLoadKey.AddPrimitiveType("parent_key_srk", true);
}
else
{
paramLoadKey.AddPrimitiveType("parent_key_srk", false);
//paramLoadKey.AddPrimitiveType("parent_handle", IdentifierToHandle(parentKey, keyContext, keymanagerHelper));
paramLoadKey.AddPrimitiveType("parent_identifier", parentKey);
}
paramLoadKey.AddPrimitiveType("key_identifier", identifier);
paramLoadKey.AddPrimitiveType("key_blob", keymanagerHelper.GetKeyBlob(identifier));
TPMCommandRequest requestLoadKey = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadKey2, paramLoadKey);
TPMCommandResponse responseLoadKey = _tpmContext.TPM.Process(requestLoadKey, commandAuthHelper, keymanagerHelper);
if (responseLoadKey.Status == false)
{
KeyHandleItem keyHandleToRemove = _keyHandles.FindKeyHandleItem(identifier, keyContext);
if (keyHandleToRemove != null)
{
keyHandleItem.LoadedEvt.Set();
_keyHandles.RemoveKeyHandle(keyHandleToRemove);
}
throw new TPMRequestException("Unknown error on running TPM_LoadKey2");
}
using (AcquireLock())
{
//Make sure that a dummy (not loaded) keyhandleitem get removed
KeyHandleItem keyHandleToRemove = _keyHandles.FindKeyHandleItem(identifier, keyContext);
if (keyHandleToRemove != null)
{
keyHandleToRemove.LoadedEvt.Set();
_keyHandles.RemoveKeyHandle(keyHandleToRemove);
}
KeyHandleItem item = new KeyHandleItem(responseLoadKey.Parameters.GetValueOf <KeyHandle>("handle"),
KeyHandleItem.KeyHandleStatus.SwappedIn, keyContext);
_keyHandles.AddKeyHandle(item);
AddNewItem(item);
}
return(parentKey);
}
private AuthHandleItem CreateAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
TPMCommandRequest oiapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse oiapResponse = _tpmContext.TPM.Process(oiapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (oiapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating oiap auth handle");
}
AuthHandle newAuthHandle = oiapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OIAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else if (cmd.SupportsAuthType(AuthHandle.AuthType.OSAP))
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("entity_msb", TPMEntityTypeMSB.TPM_ET_XOR);
parameters.AddPrimitiveType("entity_lsb", cmd.GetEntityType(authSession));
string identifier = cmd.GetHandle(authSession);
if (identifier == null)
{
throw new TPMRequestException("Missing entity value for OSAP session");
}
parameters.AddPrimitiveType("entity_value", identifier);
TPMCommandRequest osapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OSAP, parameters);
TPMCommandResponse osapResponse = _tpmContext.TPM.Process(osapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (osapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating osap auth handle");
}
AuthHandle newAuthHandle = osapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OSAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else
{
throw new NotSupportedException("Command does not support a suitable AuthType");
}
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()));
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams));
}
public ClientKeyHandle CreateKey(string friendlyName, uint keyLength, TPMKeyUsage keyUsage, TPMKeyFlags keyFlags)
{
Parameters paramsCreateWrapKey = new Parameters();
paramsCreateWrapKey.AddPrimitiveType("parent", KeyIdentifier);
paramsCreateWrapKey.AddPrimitiveType("key_usage", keyUsage);
paramsCreateWrapKey.AddPrimitiveType("key_flags", keyFlags);
paramsCreateWrapKey.AddPrimitiveType("key_length", keyLength);
paramsCreateWrapKey.AddPrimitiveType("exponent", new byte[0]);
paramsCreateWrapKey.AddPrimitiveType("num_primes", (uint)0);
if (keyUsage == TPMKeyUsage.TPM_KEY_SIGNING)
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_NONE);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1);
}
else
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_NONE);
}
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifierIsFriendlyName", true);
parameters.AddPrimitiveType("identifier", friendlyName);
ProtectedPasswordStorage authUsage = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
if (authUsage.Hashed == false)
{
authUsage.Hash();
}
authUsage.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("usage_auth", authUsage.HashValue);
ProtectedPasswordStorage authMigration = null;
if ((keyFlags & TPMKeyFlags.Migratable) == TPMKeyFlags.Migratable)
{
authMigration = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyMigrationSecret, parameters));
authMigration.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("migration_auth", authMigration.HashValue);
}
else
{
paramsCreateWrapKey.AddPrimitiveType("migration_auth", new byte[20]);
}
try
{
TPMCommandResponse responseCreateWrapKey =
BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_CreateWrapKey, paramsCreateWrapKey);
_tpmSession.Keystore.AddKey(
friendlyName,
responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"),
this.FriendlyName,
responseCreateWrapKey.Parameters.GetValueOf <byte[]>("key_data"));
return(new ClientKeyHandle(friendlyName, responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"), _tpmSession));
}
finally
{
if (authMigration != null)
{
authMigration.ClearHash();
}
if (authUsage != null)
{
authUsage.ClearHash();
}
}
}
