/// <summary> /// Signs the data using the Hardware Security Module. /// </summary> /// <param name="data">The data to be signed.</param> /// <returns>The signed data.</returns> public override byte[] Sign(byte[] data) { byte[] result = Array.Empty <byte>(); TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE); int dataIndex = 0; byte[] iterationBuffer; if (data.Length <= 1024) { result = _tpm2.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256); } else { // Start the HMAC sequence. TpmHandle hmacHandle = _tpm2.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256); while (data.Length > dataIndex + 1024) { // Repeat to update the HMAC until we only have <=1024 bytes left. iterationBuffer = new Byte[1024]; Array.Copy(data, dataIndex, iterationBuffer, 0, 1024); _tpm2.SequenceUpdate(hmacHandle, iterationBuffer); dataIndex += 1024; } // Finalize the HMAC with the remainder of the data. iterationBuffer = new Byte[data.Length - dataIndex]; Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex); result = _tpm2.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk); } return(result); }
/// <summary> /// Signs the data using the previously activated identity key. /// </summary> /// <remarks> /// Calls to the TPM library can potentially return a <see cref="TssException"/> or a <see cref="TpmException"/> /// if your TPM hardware does not support the relevant API call. /// </remarks> /// <param name="data">The data to be signed.</param> /// <returns>The signed data.</returns> public override byte[] Sign(byte[] data) { if (Logging.IsEnabled) { Logging.Enter(this, null, nameof(Sign)); } if (data == null) { throw new ArgumentNullException(nameof(data)); } byte[] result = Array.Empty <byte>(); var hmacKeyHandle = new TpmHandle(AiothPersistedKeyHandle); int dataIndex = 0; byte[] iterationBuffer; const int maxBufferLength = 1024; if (data.Length <= maxBufferLength) { result = _tpm2.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256); } else { // Start the HMAC sequence. TpmHandle hmacHandle = _tpm2.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256); while (data.Length > dataIndex + maxBufferLength) { // Repeat to update the HMAC until we only have <=1024 bytes left. iterationBuffer = new byte[maxBufferLength]; Array.Copy(data, dataIndex, iterationBuffer, 0, maxBufferLength); _tpm2.SequenceUpdate(hmacHandle, iterationBuffer); dataIndex += maxBufferLength; } // Finalize the HMAC with the remainder of the data. iterationBuffer = new byte[data.Length - dataIndex]; Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex); result = _tpm2.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk); } if (Logging.IsEnabled) { Logging.Exit(this, null, nameof(Sign)); } return(result); }
/// <summary> /// Sign data using the key stored in the TPM. The signing is done inside the TPM to avoid exposing the key. /// This is similar to using <see cref="System.Security.Cryptography.SHA256CryptoServiceProvider"/> which /// uses <see cref="System.Security.Cryptography.HMACSHA256"/> inside. /// </summary> /// <param name="data"></param> /// <returns></returns> public byte[] Sign(byte[] data) { TpmHandle hmacKeyHandle = new TpmHandle(PERSISTED_KEY_HANDLE + logicalDeviceId); int dataIndex = 0; byte[] iterationBuffer, result = Array.Empty <byte>(); try { // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); using (var tpm = new Tpm2(tpmDevice)) { if (data.Length <= 1024) { // Calculate the HMAC in one shot result = tpm.Hmac(hmacKeyHandle, data, TpmAlgId.Sha256); } else { // Start the HMAC sequence TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, Array.Empty <byte>(), TpmAlgId.Sha256); while (data.Length > dataIndex + 1024) { // Repeat to update the hmac until we only hace <=1024 bytes left iterationBuffer = new byte[1024]; Array.Copy(data, dataIndex, iterationBuffer, 0, 1024); tpm.SequenceUpdate(hmacHandle, iterationBuffer); dataIndex += 1024; } // Finalize the hmac with the remainder of the data iterationBuffer = new byte[data.Length - dataIndex]; Array.Copy(data, dataIndex, iterationBuffer, 0, data.Length - dataIndex); result = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out TkHashcheck nullChk); } } } catch { } return(result); }
public Byte[] SignHmac(Byte[] dataToSign) { TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId); int dataIndex = 0; Byte[] iterationBuffer; Byte[] hmac = { }; if (dataToSign.Length <= 1024) { try { // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Calculate the HMAC in one shot hmac = tpm.Hmac(hmacKeyHandle, dataToSign, TpmAlgId.Sha256); // Dispose of the TPM tpm.Dispose(); } catch { return(hmac); } } else { try { // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Start the HMAC sequence Byte[] hmacAuth = new byte[0]; TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256); while (dataToSign.Length > dataIndex + 1024) { // Repeat to update the hmac until we only hace <=1024 bytes left iterationBuffer = new Byte[1024]; Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, 1024); tpm.SequenceUpdate(hmacHandle, iterationBuffer); dataIndex += 1024; } // Finalize the hmac with the remainder of the data iterationBuffer = new Byte[dataToSign.Length - dataIndex]; Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, dataToSign.Length - dataIndex); TkHashcheck nullChk; hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out nullChk); // Dispose of the TPM tpm.Dispose(); } catch { return(hmac); } } return(hmac); }
/// <summary> /// Funzione per la firma HMAC tramite TPM /// </summary> /// <param name="dataToAuth"></param> /// <returns></returns> public static Byte[] CalculateHmac(Byte[] dataToAuth) { TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId); int dataIndex = 0; Byte[] iterationBuffer; Byte[] hmac = { }; // Se i valori da firmare sono < 1024 byte if (dataToAuth.Length <= 1024) { try { // Apertura del TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Calcolo dell'HMAC tramite la funzione salvata in precedenza hmac = tpm.Hmac(hmacKeyHandle, dataToAuth, TpmAlgId.Sha256); // Dispose del TPM tpm.Dispose(); } catch (Exception ex) { Console.WriteLine(ex.Message); return(hmac); } } else { try { // Apertura del TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Inizio della sequenza HMAC Byte[] hmacAuth = new byte[0]; TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256); // ciclo su tutti i dati da firmare a blocchi da 1024 byte while (dataToAuth.Length > dataIndex + 1024) { // Repeat to update the hmac until we only hace <=1024 bytes left iterationBuffer = new Byte[1024]; Array.Copy(dataToAuth, dataIndex, iterationBuffer, 0, 1024); // Caricamento dei dati nel tpm (calcolo parziale) tpm.SequenceUpdate(hmacHandle, iterationBuffer); dataIndex += 1024; } // Caricamento della parte finale iterationBuffer = new Byte[dataToAuth.Length - dataIndex]; Array.Copy(dataToAuth, dataIndex, iterationBuffer, 0, dataToAuth.Length - dataIndex); TkHashcheck nullChk; // Si finalizza l'HMAC con l'ultima parte dei dati hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out nullChk); // Dispose del TPM tpm.Dispose(); } catch { return(hmac); } } return(hmac); }