Exemple #1
0
        public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper)
        {
            base.Init(param, tpmProvider, tpmWrapper);

            _digest = null;
            _tpmKey = TPMKeyCore.CreateFromBytes(param.GetValueOf <byte[]>("key_blob"));
        }
Exemple #2
0
        /// <summary>
        /// Retrieves informations about keys
        /// </summary>
        /// <param name="subsystem"></param>
        /// <param name="requestContext"></param>
        private void HandleKeyInfoRequest(TPMSubsystem subsystem, RequestContext <KeyInfoRequest, KeyInfoResponse> requestContext)
        {
            TPMContext      tpmContext;
            KeyInfoResponse response;

            lock (_selectedTPMs)
            {
                if (_selectedTPMs.ContainsKey(requestContext.Request.TPMIdentifier) == false)
                {
                    response           = requestContext.CreateResponse();
                    response.Succeeded = false;
                    response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.TPMIdentifierNotValid);
                    response.Execute();
                    return;
                }

                tpmContext = _selectedTPMs[requestContext.Request.TPMIdentifier];
            }

            if (!AssertUserAuthentication("key_info_" + _selectedTPMs[requestContext.Request.TPMIdentifier].DeviceName, requestContext.CreateResponse()))
            {
                return;
            }

            KeyManagerHelper keyManagerHelper = new KeyManagerHelper(ServerContext, tpmContext, requestContext.Request.TPMIdentifier,
                                                                     new CommandAuthorizationHelper(ServerContext, requestContext.Request.TPMIdentifier, tpmContext));

            if (keyManagerHelper.ContainsIdentifier(requestContext.Request.KeyIdentifier) == false)
            {
                response           = requestContext.CreateResponse();
                response.Succeeded = false;
                response.SetKnownErrorCode(TPMSubsystemResponseBase.ErrorCodeEnum.NotAValidKeyIdentifier);
                response.Execute();
                return;
            }

            byte[] keyBlob = keyManagerHelper.GetKeyBlob(requestContext.Request.KeyIdentifier);
            response           = requestContext.CreateResponse();
            response.Succeeded = true;
            response.TPMKey    = TPMKeyCore.CreateFromBytes(keyBlob);
            response.Execute();
        }
Exemple #3
0
        protected override TPMCommandResponse InternalProcess()
        {
            TPMBlob requestBlob = new TPMBlob();

            requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);

            //key handle gets inserted later, it may be not available now
            requestBlob.WriteUInt32(0);
            requestBlob.Write(_nonce, 0, 20);
            _pcrSelection.WriteToTpmBlob(requestBlob);

            _keyManager.LoadKey(_params.GetValueOf <string>("key"));

            AuthorizeMe(requestBlob);

            using (_keyManager.AcquireLock())
            {
                requestBlob.SkipHeader();
                requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
                _responseBlob = TransmitMe(requestBlob);
            }

            CheckResponseAuthInfo();

            _responseBlob.SkipHeader();

            TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
            uint sigSize = _responseBlob.ReadUInt32();

            byte[] signature = _responseBlob.ReadBytes((int)sigSize);

            // Do signature verification
            TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);

            byte[] signingData;
            using (TPMBlob blob = new TPMBlob())
            {
                quoteInfo.WriteToTpmBlob(blob);
                signingData = blob.ToArray();
            }

            Parameters pubKeyParams = new Parameters();

            pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key"));
            TPMCommandRequest  pubKeyRequest  = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
            TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
                                                                    _commandAuthHelper, _keyManager);

            if (pubKeyResponse.Status == false)
            {
                _log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
                return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()));
            }

            TPMKey    keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key")));
            TPMPubkey pubkey  = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey");

            if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
            {
                throw new ArgumentException("The TPM_Quote signature could not be verified");
            }

            Parameters responseParams = new Parameters();

            responseParams.AddValue("pcrData", pcrComposite);
            responseParams.AddPrimitiveType("sig", signature);

            return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams));
        }
Exemple #4
0
        protected override TPMCommandResponse InternalProcess()
        {
            string key = _params.GetValueOf <string>("key");

            _keyManager.LoadKey(key);

            TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key));

            if (keyInfo == null)
            {
                throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key));
            }

            byte[] areaToSign = null;

            if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1)
            {
                //Client has hopefully put data in the right format ready for the tpm to process
                if (_params.IsDefined <byte[]>("areaToSign"))
                {
                    areaToSign = _params.GetValueOf <byte[]>("areaToSign");
                }
                //Client just sends data, tpm lib cares about the right, signature dependent, processing
                else if (_params.IsDefined <byte[]>("data"))
                {
                    byte[] data = _params.GetValueOf <byte[]>("data");

                    areaToSign = new HashProvider().Hash(new HashByteDataProvider(data));
                }

                if (areaToSign.Length != 20)
                {
                    throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme));
                }
            }
            else
            {
                throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId));
            }


            TPMBlob requestBlob = new TPMBlob();

            requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign);

            //key handle gets inserted later, it may be not available now
            requestBlob.WriteUInt32(0);
            requestBlob.WriteUInt32((uint)areaToSign.Length);
            requestBlob.Write(areaToSign, 0, areaToSign.Length);

            AuthorizeMe(requestBlob);

            using (_keyManager.AcquireLock())
            {
                requestBlob.SkipHeader();
                requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle);

                _responseBlob = TransmitMe(requestBlob);
            }

            CheckResponseAuthInfo();

            _responseBlob.SkipHeader();

            uint sigSize = _responseBlob.ReadUInt32();

            byte[] signature = _responseBlob.ReadBytes((int)sigSize);

            Parameters responseParams = new Parameters();

            responseParams.AddPrimitiveType("sig", signature);
            return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams));
        }