/// <summary>
/// Verifies a signature generated on the tpm
/// </summary>
/// <param name="keyInfo">The key blob loaded into the tpm</param>
/// <param name="pubkey">the public key</param>
/// <param name="data">data to verify for integrity</param>
/// <param name="signature">signature to verify</param>
/// <returns></returns>
public static bool VerifySignature(TPMKey keyInfo, TPMPubkey pubkey, byte[] data, byte[] signature)
{
if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1)
{
byte[] localDataDigest = new HashProvider().Hash(new HashByteDataProvider(data));
ISigner signatureVerificator = pubkey.CreateSignatureVerificator();
signatureVerificator.BlockUpdate(data, 0, data.Length);
return signatureVerificator.VerifySignature(signature);
}
else
throw new NotSupportedException(string.Format("The signature scheme '{0}' is not supported", keyInfo.AlgorithmParams.SigScheme));
}
/// <summary>
/// Verifies a signature generated on the tpm
/// </summary>
/// <param name="keyInfo">The key blob loaded into the tpm</param>
/// <param name="pubkey">the public key</param>
/// <param name="data">data to verify for integrity</param>
/// <param name="signature">signature to verify</param>
/// <returns></returns>
public static bool VerifySignature(TPMKey keyInfo, TPMPubkey pubkey, byte[] data, byte[] signature)
{
if (keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1)
{
byte[] localDataDigest = new HashProvider().Hash(new HashByteDataProvider(data));
ISigner signatureVerificator = pubkey.CreateSignatureVerificator();
signatureVerificator.BlockUpdate(data, 0, data.Length);
return(signatureVerificator.VerifySignature(signature));
}
else
{
throw new NotSupportedException(string.Format("The signature scheme '{0}' is not supported", keyInfo.AlgorithmParams.SigScheme));
}
}
public override void Execute(string[] commandline)
{
if (commandline.Length < 2)
{
_console.Out.WriteLine("Error: [local_alias] not specified");
}
else if (commandline.Length < 3)
{
_console.Out.WriteLine("Error: [ek_subcommand] not specified");
}
ClientContext ctx = _console.GetValue <ClientContext> ("client_context", null);
if (ctx == null)
{
_console.Out.WriteLine("No active connection was found");
return;
}
string localAlias = commandline[1];
string ekCommand = commandline[2];
IDictionary <string, TPMSession> tpmSessions = _console.GetValue <IDictionary <string, TPMSession> > ("tpm_sessions", null);
if (tpmSessions == null || tpmSessions.ContainsKey(localAlias) == false)
{
_console.Out.WriteLine("Error: Specified local alias was not found");
return;
}
if (ekCommand == "read_pubek")
{
TPMPubkey pubkey = tpmSessions[localAlias].EndorsementKeyHandling.PublicKey;
_console.Out.WriteLine(pubkey.ToString());
}
else
{
_console.Out.WriteLine("Error, unknown ek_subcommand '{0}'", commandline[1]);
}
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf <string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return(new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()));
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf <string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf <TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams));
}
