/// <summary> /// Gets the identifier of the device /// </summary> /// <returns></returns> public string GetHardwareDeviceId() { TpmHandle srkHandle = new TpmHandle(TPM_20_SRK_HANDLE); try { string hardwareDeviceId; // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); using (var tpm = new Tpm2(tpmDevice)) { // Read the URI from the TPM TpmPublic srk = tpm.ReadPublic(srkHandle, out byte[] name, out byte[] qualifiedName); // Calculate the hardware device id for this logical device byte[] deviceId = CryptoLib.HashData(TpmAlgId.Sha256, BitConverter.GetBytes(logicalDeviceId), name); // Produce the output string hardwareDeviceId = string.Join(string.Empty, deviceId.Select(b => b.ToString("x2"))); } return(hardwareDeviceId); } catch { } return(string.Empty); }
internal static TpmHandle CreateEncryptionDecryptionKey(Tpm2 tpm, TpmHandle parent) { var sensCreate = new SensitiveCreate(null, null); var sym = new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb); var pub = new TpmPublic(TpmAlgId.Sha256, ObjectAttr.Decrypt | ObjectAttr.UserWithAuth, null, sym, new Tpm2bDigestSymcipher()); TssObject swKey = TssObject.Create(pub); var innerWrapKey = sym == null ? null : SymCipher.Create(sym); byte[] name, qname; TpmPublic pubParent = tpm.ReadPublic(parent, out name, out qname); byte[] encSecret; TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, innerWrapKey, out encSecret); TpmPrivate privImp = tpm.Import(parent, innerWrapKey, swKey.Public, dupBlob, encSecret, sym ?? new SymDefObject()); TpmHandle hKey = tpm.Load(parent, privImp, swKey.Public) .SetAuth(swKey.Sensitive.authValue); return(hKey); }
} //NVCounter internal static void CreateTwoPrimaries(Tpm2 tpm) { var data = Encoding.UTF8.GetBytes("hello world"); var handle1 = KeyHelpers.CreatePrimaryRsaKey(tpm, null, null, null, out TpmPublic key); IAsymSchemeUnion decScheme = new SchemeOaep(TpmAlgId.Sha1); var cipher = tpm.RsaEncrypt(handle1, data, decScheme, null); byte[] decrypted1 = tpm.RsaDecrypt(handle1, cipher, decScheme, null); var decyyptedData = Encoding.UTF8.GetString(decrypted1); var pub = tpm.ReadPublic(handle1, out byte[] name, out byte[] qn); var enc = KeyHelpers.CreateEncryptionDecryptionKey(tpm, handle1); tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked); var cipher2 = tpm.EncryptDecrypt(enc, 1, TpmAlgId.None, data, data, out byte[] test2); tpm.FlushContext(handle1); var handle2 = KeyHelpers.CreatePrimary(tpm, out TpmPublic key3); //, seed: new byte[] { 22, 123, 22, 1, 33 }); tpm.FlushContext(handle2); }
private static void DumpStorageRootKey(Tpm2 tpm) { byte[] name; byte[] qualifiedName; var storageRootKey = tpm.ReadPublic(new TpmHandle(TPM2_SRK_HANDLE), out name, out qualifiedName); var srk = storageRootKey.GetTpm2BRepresentation(); Console.WriteLine($"Public Storage Root Key (SRK): {ToHexString(srk)}"); }
private static void DumpEndorsementKey(Tpm2 tpm) { byte[] name; byte[] qualifiedName; var endorcementKey = tpm.ReadPublic(new TpmHandle(TPM2_EK_HANDLE), out name, out qualifiedName); var ek = endorcementKey.GetTpm2BRepresentation(); Console.WriteLine($"Public Endorcement Key (EK): {ToHexString(ek)}"); }
public static SchemeEcdaa PrepareEcdaaScheme(Tpm2 tpm, TpmHandle signKey, ISigSchemeUnion scheme) { var schemeEcdaa = scheme as SchemeEcdaa; if (schemeEcdaa != null) { byte[] name, qualName; var keyPub = tpm.ReadPublic(signKey, out name, out qualName); ushort counter = 0; EccPoint l, E; EccPoint PP = keyPub.unique as EccPoint; tpm.Commit(signKey, PP, null, null, out l, out E, out counter); schemeEcdaa.count = counter; } return(schemeEcdaa); }
public string GetHardwareDeviceId() { TpmHandle srkHandle = new TpmHandle(SRK_HANDLE); string hardwareDeviceId = ""; Byte[] name; Byte[] qualifiedName; try { // Open the TPM Tpm2Device tpmDevice = new TbsDevice(); tpmDevice.Connect(); var tpm = new Tpm2(tpmDevice); // Read the URI from the TPM TpmPublic srk = tpm.ReadPublic(srkHandle, out name, out qualifiedName); // Dispose of the TPM tpm.Dispose(); } catch { return(hardwareDeviceId); } // Calculate the hardware device id for this logical device byte[] deviceId = CryptoLib.HashData(TpmAlgId.Sha256, BitConverter.GetBytes(logicalDeviceId), name); // Produce the output string foreach (byte n in deviceId) { hardwareDeviceId += n.ToString("x2"); } return(hardwareDeviceId); }
public static TpmPublic ReadPublic(Tpm2 tpm, TpmHandle h) { byte[] name, qualName; return(tpm.ReadPublic(h, out name, out qualName)); }
/// <summary> /// Performs the following operations: /// - Generates in software (using TSS.net helpers) a key with the given template, /// - Creates TPM-compatible dupliction blob for the given TPM based parent key, /// - Import the duplication blob into TPM /// - Loads the imported key into the TPM /// - Makes sure that the imported key works. /// </summary> /// <param name="tpm">TPM instance to use</param> /// <param name="keyPub">Template for the software generated key.</param> /// <param name="hParent">Intended TPM based parent key for the software generated key.</param> /// <param name="innerSymDef">Specification of the optional inner wrapper for the duplication blob.</param> static void GenerateAndImport(Tpm2 tpm, TpmPublic keyPub, TpmHandle hParent, SymDefObject innerSymDef = null) { // // Create a software key with the given template // // Generate a random auth value for the key to be created (though we could // use an empty buffer, too). var keyAuth = AuthValue.FromRandom(CryptoLib.DigestSize(keyPub.nameAlg)); // Generate the key TssObject swKey = TssObject.Create(keyPub, keyAuth); // // Create duplication blob for the new key with the SRK as the new parent // // Create a symmetric software key if an inner wrapper is requested. var innerWrapKey = innerSymDef == null ? null : SymCipher.Create(innerSymDef); // Retrieve the public area of the intended parent key from the TPM // We do not need the name (and qualified name) of the key here, but // the TPM command returns them anyway. // NOTE - Alternatively we could get the public area from the overloaded // form of the CreateRsaPrimaryStorageKey() helper used to create the parent // key, as all TPM key creation commands (TPM2_CreatePrimary(), TPM2_Create() // and TPM2_CreateLoaded()) return it. byte[] name, qname; TpmPublic pubParent = tpm.ReadPublic(hParent, out name, out qname); byte[] encSecret; TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, innerWrapKey, out encSecret); // Import the duplication blob into the TPM TpmPrivate privImp = tpm.Import(hParent, innerWrapKey, swKey.Public, dupBlob, encSecret, innerSymDef ?? new SymDefObject()); // Load the imported key ... TpmHandle hKey = tpm.Load(hParent, privImp, swKey.Public) .SetAuth(swKey.Sensitive.authValue); // ... and validate that it works byte[] message = Globs.GetRandomBytes(32); if (keyPub.objectAttributes.HasFlag(ObjectAttr.Decrypt)) { // Encrypt something if (keyPub.type == TpmAlgId.Symcipher) { // Only need software symcypher here to query IV size. // Normally, when you use a fixed algorithm, you can hardcode it. var swSym = SymCipher.Create(keyPub.parameters as SymDefObject); byte[] ivIn = Globs.GetRandomBytes(swSym.IVSize), ivOut = null; byte[] cipher = swKey.Encrypt(message, ref ivIn, out ivOut); // Not all TPMs implement TPM2_EncryptDecrypt() command tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked); byte[] decrypted = tpm.EncryptDecrypt(hKey, 1, TpmAlgId.Null, ivIn, cipher, out ivOut); if (tpm._LastCommandSucceeded()) { bool decOk = Globs.ArraysAreEqual(message, decrypted); Console.WriteLine("Imported symmetric key validation {0}", decOk ? "SUCCEEDED" : "FAILED"); } } } else { // Sign something (works for both asymmetric and MAC keys) string keyType = keyPub.type == TpmAlgId.Rsa ? "RSA" : keyPub.type == TpmAlgId.Keyedhash ? "HMAC" : "UNKNOWN"; // Should not happen in this sample TpmAlgId sigHashAlg = GetSchemeHash(keyPub); TpmHash toSign = TpmHash.FromData(sigHashAlg, message); var proofx = new TkHashcheck(TpmRh.Null, null); ISignatureUnion sig = tpm.Sign(hKey, toSign, null, proofx); bool sigOk = swKey.VerifySignatureOverHash(toSign, sig); Console.WriteLine("Imported {0} key validation {1}", keyType, sigOk ? "SUCCEEDED" : "FAILED"); } // Free TPM resources taken by the loaded imported key tpm.FlushContext(hKey); } // GenerateAndImport