void TestCertifyX509_1(Tpm2 tpm, TestContext testCtx)
{
testCtx.ReportParams("Test phase: TestCertifyX509_1");
var policy = new PolicyTree(TpmAlgId.Sha256);
policy.SetPolicyRoot(new TpmPolicyCommand(TpmCc.CertifyX509));
var keyTemplate = new TpmPublic(
TpmAlgId.Sha256,
ObjectAttr.Restricted | ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM | ObjectAttr.UserWithAuth | ObjectAttr.AdminWithPolicy | ObjectAttr.SensitiveDataOrigin,
policy.GetPolicyDigest(),
new RsaParms(new SymDefObject(), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0),
new Tpm2bPublicKeyRsa()
);
// Make two keys
TpmPublic certifyingKeyPub, keyToBeCertifiedPub;
TpmHandle hCertifyingKey = Substrate.CreatePrimary(tpm, keyTemplate, out certifyingKeyPub);
TpmHandle hKeyToBeCertified = Substrate.CreatePrimary(tpm, keyTemplate, out keyToBeCertifiedPub);
var partialCert = CertifyX509Support.MakeExemplarPartialCert();
var partialCertBytes = partialCert.GetDerEncoded();
// If you want to paste in your own hex put it here and s
//var partialCertBytes = Globs.ByteArrayFromHex("01020304");
AuthSession sess = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
sess.RunPolicy(tpm, policy);
// I used this to test that the auth is OK. Of course you need to change the PolicyCommandCode above
//var attestInfo = tpm[sess].Certify(hKeyToBeCertified, hCertifyingKey, new byte[0], new NullSigScheme(), out var legacySignature);
byte[] tbsHash;
ISignatureUnion signature;
byte[] addedTo = tpm[sess].CertifyX509(hKeyToBeCertified, hCertifyingKey, new byte[0], new NullSigScheme(), partialCertBytes, out tbsHash, out signature);
var addedToCert = AddedToCertificate.FromDerEncoding(addedTo);
var returnedCert = CertifyX509Support.AssembleCertificate(partialCert, addedToCert, ((SignatureRsa)signature).GetTpmRepresentation());
// Does the expected hash match the returned hash?
var tbsBytes = returnedCert.GetTbsCertificate();
var expectedTbsHash = TpmHash.FromData(TpmAlgId.Sha256, tbsBytes);
Debug.Assert(Globs.ArraysAreEqual(expectedTbsHash.HashData, tbsHash));
// If you get this far we can check the cert is properly signed but we'll need to do a
// bit of TPM<->Bouncy Castle data type conversion.
tpm.FlushContext(hCertifyingKey);
tpm.FlushContext(hKeyToBeCertified);
} // TestCertifyX509_1
/// <summary>
/// Illustrates various cases of automatic authorization handling.
/// </summary>
static void AutomaticAuth(Tpm2 tpm)
{
TpmHandle primHandle = CreateRsaPrimaryKey(tpm);
TpmPublic keyPublic;
TpmHandle keyHandle = CreateSigningDecryptionKey(tpm, primHandle, out keyPublic);
byte[] message = Globs.GetRandomBytes(32);
IAsymSchemeUnion decScheme = new SchemeOaep(TpmAlgId.Sha1);
ISigSchemeUnion sigScheme = new SchemeRsassa(TpmAlgId.Sha1);
//
// TSS.Net implicitly creates an auth session to authorize keyHandle.
// It uses the auth value cached in the TpmHandle object.
//
byte[] encrypted = tpm.RsaEncrypt(keyHandle, message, decScheme, null);
Console.WriteLine("Automatic authorization of a decryption key.");
//
// An auth session is added automatically when TPM object is not in strict mode.
//
byte[] decrypted1 = tpm.RsaDecrypt(keyHandle, encrypted, decScheme, null);
byte[] nonceTpm;
Console.WriteLine("Session object construction.");
//
// If a session with specific properties is required, an AuthSession object
// can be built from the session handle returned by the TPM2_StartAuthSession
// command concatenated, if necessary, with session flags and unencrypted salt
// value (not used in this example).
//
AuthSession auditSess = tpm.StartAuthSession(
TpmRh.Null, // no salt
TpmRh.Null, // no bind object
Globs.GetRandomBytes(16), // nonceCaller
null, // no salt
TpmSe.Hmac, // session type
new SymDef(), // no encryption/decryption
TpmAlgId.Sha256, // authHash
out nonceTpm)
+ (SessionAttr.ContinueSession | SessionAttr.Audit);
/*
* Alternatively one of the StartAuthSessionEx helpers can be used). E.g.
*
* AuthSession auditSess = tpm.StartAuthSessionEx(TpmSe.Hmac, TpmAlgId.Sha256,
* SessionAttr.ContinueSession | SessionAttr.Audit);
*/
//
// TSS.Net specific call to verify TPM auditing correctness.
//
tpm._SetCommandAuditAlgorithm(TpmAlgId.Sha256);
Console.WriteLine("Automatic authorization using explicitly created session object.");
//
// Appropriate auth value is added automatically into the provided session.
//
// Note that the call to _Audit() is optional and is only used when one
// needs the TSS.Net framework to compute the audit digest on its own (e.g.
// when simulating the TPM functionality without access to an actual TPM).
//
byte[] decrypted2 = tpm[auditSess]._Audit()
.RsaDecrypt(keyHandle, encrypted, decScheme, null);
ISignatureUnion signature;
Attest attest;
//
// A session is added automatically to authorize usage of the permanent
// handle TpmRh.Endorsement.
//
// Note that if auth value of TpmRh.Endorsement is not empty, you need to
// explicitly assign it to the tpm.EndorsementAuth property of the given
// Tpm2 object.
//
attest = tpm.GetSessionAuditDigest(TpmRh.Endorsement, TpmRh.Null, auditSess,
null, new NullSigScheme(), out signature);
//
// But if the corresponding auth value stored in the Tpm2 object is invalid, ...
//
AuthValue endorsementAuth = tpm.EndorsementAuth;
tpm.EndorsementAuth = Globs.ByteArray(16, 0xde);
//
// ... the command will fail.
//
tpm._ExpectError(TpmRc.BadAuth)
.GetSessionAuditDigest(TpmRh.Endorsement, TpmRh.Null, auditSess,
null, new NullSigScheme(), out signature);
//
// Restore correct auth value.
//
tpm.EndorsementAuth = endorsementAuth;
//
// Verify that decryption worked correctly.
//
Debug.Assert(Globs.ArraysAreEqual(decrypted1, decrypted2));
//
// Verify that auditing worked correctly.
//
SessionAuditInfo info = (SessionAuditInfo)attest.attested;
Debug.Assert(Globs.ArraysAreEqual(info.sessionDigest, tpm._GetAuditHash().HashData));
Console.WriteLine("Auth value tracking by TSS.Net.");
//
// Change auth value of the decryption key.
//
TpmPrivate newKeyPrivate = tpm.ObjectChangeAuth(keyHandle, primHandle, AuthValue.FromRandom(16));
TpmHandle newKeyHandle = tpm.Load(primHandle, newKeyPrivate, keyPublic);
//
// Allow non-exclusive usage of the audit session.
//
auditSess.Attrs &= ~SessionAttr.AuditExclusive;
//
// Correct auth value (corresponding to newKeyHandle, and different from
// the one used for keyHandle) will be added to auditSess.
//
decrypted1 = tpm[auditSess]._Audit()
.RsaDecrypt(newKeyHandle, encrypted, decScheme, null);
Console.WriteLine("Automatic authorization with multiple sessions.");
//
// Now two sessions are auto-generated (for TpmRh.Endorsement and keyHandle).
//
attest = tpm.GetSessionAuditDigest(TpmRh.Endorsement, keyHandle, auditSess,
null, sigScheme, out signature);
//
// Verify that the previous command worked correctly.
//
bool sigOk = keyPublic.VerifySignatureOverData(Marshaller.GetTpmRepresentation(attest),
signature);
Debug.Assert(sigOk);
//
// In the following example the first session is generated based on session
// type indicator (Auth.Pw), and the second one is added automatically.
//
attest = tpm[Auth.Pw].GetSessionAuditDigest(TpmRh.Endorsement, keyHandle, auditSess,
null, sigScheme, out signature);
//
// Verify that the previous command worked correctly.
//
sigOk = keyPublic.VerifySignatureOverData(Marshaller.GetTpmRepresentation(attest),
signature);
Debug.Assert(sigOk);
//
// Release TPM resources that we do not need anymore.
//
tpm.FlushContext(newKeyHandle);
tpm.FlushContext(auditSess);
//
// The following example works correctly only when TPM resource management
// is not enabled (e.g. with TPM simulator, or when actual TPM is in raw mode).
//
if (!tpm._GetUnderlyingDevice().HasRM())
{
Console.WriteLine("Using session type indicators.");
//
// Deplete TPM's active session storage
//
List <AuthSession> landfill = new List <AuthSession>();
for (;;)
{
tpm._AllowErrors();
AuthSession s = tpm.StartAuthSessionEx(TpmSe.Hmac, TpmAlgId.Sha256,
SessionAttr.ContinueSession);
if (!tpm._LastCommandSucceeded())
{
break;
}
landfill.Add(s);
}
//
// Check if session type indicators are processed correctly
//
tpm[Auth.Hmac]._ExpectError(TpmRc.SessionMemory)
.RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
//
// Password authorization protocol session uses a predefined handle value,
// so it must work even when there are no free session slots in the TPM.
//
tpm[Auth.Pw].RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
//
// Check if default session type defined by the TPM device is processed correctly.
//
bool needHmac = tpm._GetUnderlyingDevice().NeedsHMAC;
tpm._GetUnderlyingDevice().NeedsHMAC = true;
tpm._ExpectError(TpmRc.SessionMemory)
.RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
tpm[Auth.Default]._ExpectError(TpmRc.SessionMemory)
.RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
tpm._GetUnderlyingDevice().NeedsHMAC = false;
tpm.RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
tpm[Auth.Default].RsaDecrypt(keyHandle, encrypted, new NullAsymScheme(), null);
tpm._GetUnderlyingDevice().NeedsHMAC = needHmac;
landfill.ForEach(s => tpm.FlushContext(s));
}
//
// Release TPM resources.
//
tpm.FlushContext(keyHandle);
tpm.FlushContext(primHandle);
Console.WriteLine("Done.");
}
public void AssertNotEqual(string label, byte[] arr1, byte[] arr2,
params Object[] parms)
{
Assert(label, !Globs.ArraysAreEqual(arr1, arr2), Gather(arr1, arr2, parms));
}
/// <summary>
/// Performs the following operations:
/// - Generates in software (using TSS.net helpers) a key with the given template,
/// - Creates TPM-compatible dupliction blob for the given TPM based parent key,
/// - Import the duplication blob into TPM
/// - Loads the imported key into the TPM
/// - Makes sure that the imported key works.
/// </summary>
/// <param name="tpm">TPM instance to use</param>
/// <param name="keyPub">Template for the software generated key.</param>
/// <param name="hParent">Intended TPM based parent key for the software generated key.</param>
/// <param name="innerSymDef">Specification of the optional inner wrapper for the duplication blob.</param>
static void GenerateAndImport(Tpm2 tpm, TpmPublic keyPub, TpmHandle hParent,
SymDefObject innerSymDef = null)
{
//
// Create a software key with the given template
//
// Generate a random auth value for the key to be created (though we could
// use an empty buffer, too).
var keyAuth = AuthValue.FromRandom(CryptoLib.DigestSize(keyPub.nameAlg));
// Generate the key
TssObject swKey = TssObject.Create(keyPub, keyAuth);
//
// Create duplication blob for the new key with the SRK as the new parent
//
// Create a symmetric software key if an inner wrapper is requested.
var innerWrapKey = innerSymDef == null ? null : SymCipher.Create(innerSymDef);
// Retrieve the public area of the intended parent key from the TPM
// We do not need the name (and qualified name) of the key here, but
// the TPM command returns them anyway.
// NOTE - Alternatively we could get the public area from the overloaded
// form of the CreateRsaPrimaryStorageKey() helper used to create the parent
// key, as all TPM key creation commands (TPM2_CreatePrimary(), TPM2_Create()
// and TPM2_CreateLoaded()) return it.
byte[] name, qname;
TpmPublic pubParent = tpm.ReadPublic(hParent, out name, out qname);
byte[] encSecret;
TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, innerWrapKey, out encSecret);
// Import the duplication blob into the TPM
TpmPrivate privImp = tpm.Import(hParent, innerWrapKey, swKey.Public, dupBlob,
encSecret, innerSymDef ?? new SymDefObject());
// Load the imported key ...
TpmHandle hKey = tpm.Load(hParent, privImp, swKey.Public)
.SetAuth(swKey.Sensitive.authValue);
// ... and validate that it works
byte[] message = Globs.GetRandomBytes(32);
if (keyPub.objectAttributes.HasFlag(ObjectAttr.Decrypt))
{
// Encrypt something
if (keyPub.type == TpmAlgId.Symcipher)
{
// Only need software symcypher here to query IV size.
// Normally, when you use a fixed algorithm, you can hardcode it.
var swSym = SymCipher.Create(keyPub.parameters as SymDefObject);
byte[] ivIn = Globs.GetRandomBytes(swSym.IVSize),
ivOut = null;
byte[] cipher = swKey.Encrypt(message, ref ivIn, out ivOut);
// Not all TPMs implement TPM2_EncryptDecrypt() command
tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked);
byte[] decrypted = tpm.EncryptDecrypt(hKey, 1, TpmAlgId.Null, ivIn,
cipher, out ivOut);
if (tpm._LastCommandSucceeded())
{
bool decOk = Globs.ArraysAreEqual(message, decrypted);
Console.WriteLine("Imported symmetric key validation {0}",
decOk ? "SUCCEEDED" : "FAILED");
}
}
}
else
{
// Sign something (works for both asymmetric and MAC keys)
string keyType = keyPub.type == TpmAlgId.Rsa ? "RSA"
: keyPub.type == TpmAlgId.Keyedhash ? "HMAC"
: "UNKNOWN"; // Should not happen in this sample
TpmAlgId sigHashAlg = GetSchemeHash(keyPub);
TpmHash toSign = TpmHash.FromData(sigHashAlg, message);
var proofx = new TkHashcheck(TpmRh.Null, null);
ISignatureUnion sig = tpm.Sign(hKey, toSign, null, proofx);
bool sigOk = swKey.VerifySignatureOverHash(toSign, sig);
Console.WriteLine("Imported {0} key validation {1}", keyType,
sigOk ? "SUCCEEDED" : "FAILED");
}
// Free TPM resources taken by the loaded imported key
tpm.FlushContext(hKey);
} // GenerateAndImport
void TestCertifyX509Impl(Tpm2 tpm, TestContext testCtx,
TpmPublic subjectTemplate, TpmPublic sigKeyTemplate,
PolicyTree policy, string testLabel)
{
var partialCert = X509Helpers.MakePartialCert(subjectTemplate);
var partialCertBytes = partialCert.GetDerEncoded();
// If you want to paste in your own hex put it here and s
//var partialCertBytes = Globs.ByteArrayFromHex("01020304");
// Certify RSA with RSA
TpmPublic certifyingKeyPub, keyToBeCertifiedPub;
TpmHandle hSigKey = Substrate.CreatePrimary(tpm, sigKeyTemplate, out certifyingKeyPub);
TpmHandle hSubjectKey = Substrate.CreatePrimary(tpm, subjectTemplate, out keyToBeCertifiedPub);
AuthSession sess = tpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha256);
sess.RunPolicy(tpm, policy);
ISignatureUnion sig;
byte[] tbsHash;
byte[] addedTo = tpm[sess].CertifyX509(hSubjectKey, hSigKey,
null, new NullSigScheme(), partialCertBytes,
out tbsHash, out sig);
tpm.FlushContext(sess);
tpm.FlushContext(hSubjectKey);
var addedToCert = AddedToCertificate.FromDerEncoding(addedTo);
X509Certificate returnedCert = X509Helpers.AssembleCertificate(partialCert, addedToCert,
sig is SignatureRsa ? ((SignatureRsa)sig).GetTpmRepresentation()
: ((SignatureEcc)sig).GetTpmRepresentation());
// Does the expected hash match the returned hash?
var tbsBytes = returnedCert.GetTbsCertificate();
var expectedTbsHash = TpmHash.FromData(TpmAlgId.Sha256, tbsBytes);
Debug.Assert(Globs.ArraysAreEqual(expectedTbsHash.HashData, tbsHash));
// Is the cert properly signed?
if (TpmHelper.GetScheme(sigKeyTemplate).GetUnionSelector() != TpmAlgId.Rsapss)
{
// Software crypto layer does not support PSS
bool sigOk = certifyingKeyPub.VerifySignatureOverHash(tbsHash, sig);
if (sigKeyTemplate.type == TpmAlgId.Ecc)
{
#if !__NETCOREAPP2__
// No ECC in .Net Core
testCtx.Assert("Sign" + testLabel, sigOk);
#endif
}
else
{
testCtx.Assert("Sign" + testLabel, sigOk);
}
}
tpm.VerifySignature(hSigKey, tbsHash, sig);
tpm.FlushContext(hSigKey);
}