public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper) { base.Init(param, tpmProvider, tpmWrapper); _digest = null; _tpmKey = TPMKeyCore.CreateFromBytes(param.GetValueOf <byte[]>("key_blob")); }
public override void Clear() { base.Clear(); _tpmKey = null; _digest = null; }
public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper) { base.Init(param, tpmProvider, tpmWrapper); _digest = null; _tpmKey = TPMKeyCore.Create( CapabilityDataCore.TPMVersionCore.CreateVersion11(), _params.GetValueOf <TPMKeyUsage>("key_usage"), _params.GetValueOf <TPMKeyFlags>("key_flags"), TPMAuthDataUsage.TPM_AUTH_ALWAYS, TPMKeyParamsCore.Create( TPMAlgorithmId.TPM_ALG_RSA, _params.GetValueOf <TPMEncScheme>("enc_scheme"), _params.GetValueOf <TPMSigScheme>("sig_scheme"), TPMRSAKeyParamsCore.Create( _params.GetValueOf <uint>("key_length"), _params.GetValueOf <uint>("num_primes"), _params.GetValueOf <byte[]>("exponent")) ), null, //Pubkey, use default (empty) pubkey null //no encoded data ); }
/// <summary> /// Retrieves informations about keys /// </summary> /// <param name="subsystem"></param> /// <param name="requestContext"></param> private void HandleKeyInfoRequest(TPMSubsystem subsystem, RequestContext <KeyInfoRequest, KeyInfoResponse> requestContext) { TPMContext tpmContext; KeyInfoResponse response; lock (_selectedTPMs) { if (_selectedTPMs.ContainsKey(requestContext.Request.TPMIdentifier) == false) { response = requestContext.CreateResponse(); response.Succeeded = false; response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.TPMIdentifierNotValid); response.Execute(); return; } tpmContext = _selectedTPMs[requestContext.Request.TPMIdentifier]; } if (!AssertUserAuthentication("key_info_" + _selectedTPMs[requestContext.Request.TPMIdentifier].DeviceName, requestContext.CreateResponse())) { return; } KeyManagerHelper keyManagerHelper = new KeyManagerHelper(ServerContext, tpmContext, requestContext.Request.TPMIdentifier, new CommandAuthorizationHelper(ServerContext, requestContext.Request.TPMIdentifier, tpmContext)); if (keyManagerHelper.ContainsIdentifier(requestContext.Request.KeyIdentifier) == false) { response = requestContext.CreateResponse(); response.Succeeded = false; response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.NotAValidKeyIdentifier); response.Execute(); return; } byte[] keyBlob = keyManagerHelper.GetKeyBlob(requestContext.Request.KeyIdentifier); response = requestContext.CreateResponse(); response.Succeeded = true; response.TPMKey = TPMKeyCore.CreateFromBytes(keyBlob); response.Execute(); }
public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper) { base.Init(param, tpmProvider, tpmWrapper); _digest = null; _tpmKey = TPMKeyCore.Create( CapabilityDataCore.TPMVersionCore.CreateVersion11(), TPMKeyUsage.TPM_KEY_STORAGE, TPMKeyFlags.None, TPMAuthDataUsage.TPM_AUTH_ALWAYS, TPMKeyParamsCore.Create( TPMAlgorithmId.TPM_ALG_RSA, TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1, TPMSigScheme.TPM_SS_NONE, TPMRSAKeyParamsCore.Create(TPMRSAKeyParamsCore.DEFAULT_KEYLENGTH, TPMRSAKeyParamsCore.DEFAULT_NUMPRIMES, null) ), null, //Pubkey, use default (empty) pubkey null //no encoded data ); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_nonce, 0, 20); _pcrSelection.WriteToTpmBlob(requestBlob); _keyManager.LoadKey(_params.GetValueOf <string>("key")); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); // Do signature verification TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce); byte[] signingData; using (TPMBlob blob = new TPMBlob()) { quoteInfo.WriteToTpmBlob(blob); signingData = blob.ToArray(); } Parameters pubKeyParams = new Parameters(); pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key")); TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams); TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest, _commandAuthHelper, _keyManager); if (pubKeyResponse.Status == false) { _log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key"); return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters())); } TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key"))); TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey"); if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false) { throw new ArgumentException("The TPM_Quote signature could not be verified"); } Parameters responseParams = new Parameters(); responseParams.AddValue("pcrData", pcrComposite); responseParams.AddPrimitiveType("sig", signature); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams)); }
protected override TPMCommandResponse InternalProcess() { string key = _params.GetValueOf <string>("key"); _keyManager.LoadKey(key); TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key)); if (keyInfo == null) { throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key)); } byte[] areaToSign = null; if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1) { //Client has hopefully put data in the right format ready for the tpm to process if (_params.IsDefined <byte[]>("areaToSign")) { areaToSign = _params.GetValueOf <byte[]>("areaToSign"); } //Client just sends data, tpm lib cares about the right, signature dependent, processing else if (_params.IsDefined <byte[]>("data")) { byte[] data = _params.GetValueOf <byte[]>("data"); areaToSign = new HashProvider().Hash(new HashByteDataProvider(data)); } if (areaToSign.Length != 20) { throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme)); } } else { throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId)); } TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.WriteUInt32((uint)areaToSign.Length); requestBlob.Write(areaToSign, 0, areaToSign.Length); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("sig", signature); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams)); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _usageAuth = _params.GetValueOf <byte[]> ("usage_auth"); _migrationAuth = _params.GetValueOf <byte[]> ("migration_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_usageAuth, xorKey); ByteHelper.XORBytes(_migrationAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf <string>("parent")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey); //parent key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_usageAuth, 0, 20); requestBlob.Write(_migrationAuth, 0, 20); _tpmKey.WriteToTpmBlob(requestBlob); using (_keyManager.AcquireLock()) { AuthorizeMe(requestBlob); requestBlob.SkipHeader(); if (_params.GetValueOf <string>("parent") == KeyHandle.KEY_SRK) { requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK); } else { requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("parent")).Handle); } _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMKeyCore newKey = new TPMKeyCore(_responseBlob); _responseParameters = new Parameters(); //Build and save the key identifier //The key identifier is the hex-string representation of the hash of the newly created key _responseParameters.AddPrimitiveType("key_identifier", ByteHelper.ByteArrayToHexString( new HashProvider().Hash( new HashByteDataProvider( ByteHelper.SerializeToBytes(newKey) ) ), "")); _responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters)); }