Esempio n. 1
0
        /// <summary>
        /// Seals data to the specified pcr selection,
        /// create a valid pcr selection with session.CreateEmptyPCRSelection
        /// </summary>
        /// <param name="pcrSelection"></param>
        /// <param name="data">Data to seal</param>
        /// <returns></returns>
        public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
        {
            Parameters paramsSeal = new Parameters();

            paramsSeal.AddPrimitiveType("in_data", data);
            paramsSeal.AddPrimitiveType("key", _keyIdentifier);
            paramsSeal.AddValue("pcr_selection", pcrSelection);

            Parameters paramsSecret = new Parameters();

            paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
            ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));

            if (authSeal.Hashed == false)
            {
                authSeal.Hash();
            }

            authSeal.DecryptHash();
            paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);

            try
            {
                TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
                return(sealResponse.Parameters.GetValueOf <byte[]>("data"));
            }
            finally
            {
                if (authSeal != null)
                {
                    authSeal.ClearHash();
                }
            }
        }
Esempio n. 2
0
        /// <summary>
        /// Creates a new counter if possible.
        /// Creating a counter requires the owner password and also the secret_counter secret
        /// </summary>
        /// <param name="label">4 bytes to label the counter</param>
        /// <returns></returns>
        public CounterContext CreateCounter(byte[] label)
        {
            if (label.Length != 4)
            {
                throw new ArgumentException("label needs to be of size 4");
            }

            ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()));

            if (counterSecret.Hashed == false)
            {
                counterSecret.Hash();
            }

            counterSecret.DecryptHash();

            Parameters createCounterParams = new Parameters();

            createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue);
            createCounterParams.AddPrimitiveType("label", label);

            return(new CounterContext(_tpmSession,
                                      _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams))
                                      .Parameters.GetValueOf <uint>("counter_id")
                                      ));
        }
        public void TakeOwnership(ProtectedPasswordStorage ownerSecret, ProtectedPasswordStorage srkSecret)
        {
            _tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_OWNER, ownerSecret);
            _tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_SRK, srkSecret);


            IAsymmetricBlockCipher ekEncryptor = _tpmSession.EndorsementKeyHandling.PublicKey.CreateRSAEncrypter();

            ownerSecret.DecryptHash();
            byte[] encOwnerSecret = ekEncryptor.ProcessBlock(ownerSecret.HashValue, 0, ownerSecret.HashValue.Length);
            ownerSecret.ClearHash();

            srkSecret.DecryptHash();
            byte[] encSrkSecret = ekEncryptor.ProcessBlock(srkSecret.HashValue, 0, srkSecret.HashValue.Length);
            srkSecret.ClearHash();

            Parameters parameters = new Parameters();

            parameters.AddPrimitiveType(PARAM_OWNERAUTH, encOwnerSecret);
            parameters.AddPrimitiveType(PARAM_SRKAUTH, encSrkSecret);

            /*TPMCommandResponse response = */ BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_TakeOwnership, parameters);
        }
Esempio n. 4
0
        public ClientKeyHandle CreateKey(string friendlyName, uint keyLength, TPMKeyUsage keyUsage, TPMKeyFlags keyFlags)
        {
            Parameters paramsCreateWrapKey = new Parameters();

            paramsCreateWrapKey.AddPrimitiveType("parent", KeyIdentifier);
            paramsCreateWrapKey.AddPrimitiveType("key_usage", keyUsage);
            paramsCreateWrapKey.AddPrimitiveType("key_flags", keyFlags);
            paramsCreateWrapKey.AddPrimitiveType("key_length", keyLength);
            paramsCreateWrapKey.AddPrimitiveType("exponent", new byte[0]);
            paramsCreateWrapKey.AddPrimitiveType("num_primes", (uint)0);

            if (keyUsage == TPMKeyUsage.TPM_KEY_SIGNING)
            {
                paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_NONE);
                paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1);
            }
            else
            {
                paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1);
                paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_NONE);
            }

            Parameters parameters = new Parameters();

            parameters.AddPrimitiveType("identifierIsFriendlyName", true);
            parameters.AddPrimitiveType("identifier", friendlyName);

            ProtectedPasswordStorage authUsage = _tpmSession.RequestSecret(
                new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));

            if (authUsage.Hashed == false)
            {
                authUsage.Hash();
            }

            authUsage.DecryptHash();
            paramsCreateWrapKey.AddPrimitiveType("usage_auth", authUsage.HashValue);

            ProtectedPasswordStorage authMigration = null;

            if ((keyFlags & TPMKeyFlags.Migratable) == TPMKeyFlags.Migratable)
            {
                authMigration = _tpmSession.RequestSecret(
                    new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyMigrationSecret, parameters));
                authMigration.DecryptHash();
                paramsCreateWrapKey.AddPrimitiveType("migration_auth", authMigration.HashValue);
            }
            else
            {
                paramsCreateWrapKey.AddPrimitiveType("migration_auth", new byte[20]);
            }

            try
            {
                TPMCommandResponse responseCreateWrapKey =
                    BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_CreateWrapKey, paramsCreateWrapKey);

                _tpmSession.Keystore.AddKey(
                    friendlyName,
                    responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"),
                    this.FriendlyName,
                    responseCreateWrapKey.Parameters.GetValueOf <byte[]>("key_data"));

                return(new ClientKeyHandle(friendlyName, responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"), _tpmSession));
            }
            finally
            {
                if (authMigration != null)
                {
                    authMigration.ClearHash();
                }

                if (authUsage != null)
                {
                    authUsage.ClearHash();
                }
            }
        }