public static byte[] Decrypt(SymDefObject symDef, byte[] key, byte[] iv, byte[] dataToDecrypt)
{
using (SymmCipher cipher = Create(symDef, key, iv))
{
return(cipher.Decrypt(dataToDecrypt));
}
}
/// <summary>
/// De-envelope inner-wrapped duplication blob.
/// TODO: Move this to TpmPublic and make it fully general
/// </summary>
/// <param name="exportedPrivate"></param>
/// <param name="encAlg"></param>
/// <param name="encKey"></param>
/// <param name="nameAlg"></param>
/// <param name="name"></param>
/// <returns></returns>
public static Sensitive SensitiveFromDuplicateBlob(TpmPrivate exportedPrivate, SymDefObject encAlg, byte[] encKey, TpmAlgId nameAlg, byte[] name)
{
byte[] dupBlob = exportedPrivate.buffer;
byte[] sensNoLen;
using (SymmCipher c = Create(encAlg, encKey))
{
byte[] innerObject = c.Decrypt(dupBlob);
byte[] innerIntegrity, sensitive;
KDF.Split(innerObject,
16 + CryptoLib.DigestSize(nameAlg) * 8,
out innerIntegrity,
8 * (innerObject.Length - CryptoLib.DigestSize(nameAlg) - 2),
out sensitive);
byte[] expectedInnerIntegrity = Marshaller.ToTpm2B(CryptoLib.HashData(nameAlg, sensitive, name));
if (!Globs.ArraysAreEqual(expectedInnerIntegrity, innerIntegrity))
{
Globs.Throw("SensitiveFromDuplicateBlob: Bad inner integrity");
}
sensNoLen = Marshaller.Tpm2BToBuffer(sensitive);
}
var sens = Marshaller.FromTpmRepresentation <Sensitive>(sensNoLen);
return(sens);
}
/// <summary>
/// Creates a Private area for this key that will be loadable on a TPM though TPM2_Load() if the target TPM already has the parent
/// storage key "parent" loaded. This function lets applications create key-hierarchies in software that can be loaded into
/// a TPM once the parent has been "TPM2_Import'ed."
/// TPM2_Import() supports plaintext import. To get this sort of import blob set intendedParent
/// to null
/// </summary>
/// <param name="intendedParent"></param>
/// <returns></returns>
public TpmPrivate GetPrivate(TssObject intendedParent)
{
SymDefObject symDef = GetSymDef(intendedParent.publicPart);
// Figure out how many bits we will need from the KDF
byte[] parentSymValue = intendedParent.sensitivePart.seedValue;
byte[] iv = Globs.GetRandomBytes(SymmCipher.GetBlockSize(symDef));
// The encryption key is calculated with a KDF
byte[] symKey = KDF.KDFa(intendedParent.publicPart.nameAlg,
parentSymValue,
"STORAGE",
GetName(),
new byte[0],
symDef.KeyBits);
byte[] newPrivate = KeyWrapper.CreatePrivateFromSensitive(symDef,
symKey,
iv,
sensitivePart,
publicPart.nameAlg,
publicPart.GetName(),
intendedParent.publicPart.nameAlg,
intendedParent.sensitivePart.seedValue);
return(new TpmPrivate(newPrivate));
}
/// <summary>
/// Creates a *software* root key. The key will be random (not created from a seed). The key can be used
/// as the root of a software hierarchy that can be translated into a duplication blob ready for import into
/// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can
/// comprise a migration group. The caller should specify necessary key parameters in Public.
/// </summary>
/// <returns></returns>
public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal)
{
var newKey = new TssObject();
// Create a new asymmetric key from the supplied parameters
IPublicIdUnion publicId;
ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId);
// fill in the public data
newKey.publicPart = keyParameters.Copy();
newKey.publicPart.unique = publicId;
// Create the associated symmetric key -
SymDefObject symDef = GetSymDef(keyParameters);
byte[] symmKey;
if (symDef.Algorithm != TpmAlgId.Null)
{
using (var symmCipher = SymmCipher.Create(symDef))
{
symmKey = symmCipher.KeyData;
}
}
else
{
symmKey = new byte[0];
}
// Fill in the fields for the symmetric private-part of the asymmetric key
var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData);
newKey.sensitivePart = sens;
// And return the new key
return(newKey);
}
/// <summary>
/// Create activation blobs that can be passed to ActivateCredential. Two blobs are returned -
/// (a) - encryptedSecret - is the symmetric key cfb-symmetrically encrypted with an enveloping key
/// (b) credentialBlob (the return value of this function) - is the enveloping key OEAP (RSA) encrypted
/// by the public part of this key.
/// </summary>
/// <param name="secret"></param>
/// <param name="nameAlgId"></param>
/// <param name="nameOfKeyToBeActivated"></param>
/// <param name="encryptedSecret"></param>
/// <returns>CredentialBlob (</returns>
public byte[] CreateActivationCredentials(
byte[] secret,
TpmAlgId nameAlgId,
byte[] nameOfKeyToBeActivated,
out byte[] encryptedSecret)
{
byte[] seed, encSecret;
switch (type)
{
case TpmAlgId.Rsa:
// The seed should be the same size as the symmKey
seed = Globs.GetRandomBytes((CryptoLib.DigestSize(nameAlg) + 7) / 8);
encSecret = EncryptOaep(seed, ActivateEncodingParms);
break;
case TpmAlgId.Ecc:
EccPoint pubEphem;
seed = EcdhGetKeyExchangeKey(ActivateEncodingParms, nameAlg, out pubEphem);
encSecret = Marshaller.GetTpmRepresentation(pubEphem);
break;
default:
Globs.Throw <NotImplementedException>("CreateActivationCredentials: Unsupported algorithm");
encryptedSecret = new byte[0];
return(new byte[0]);
}
var cvx = new Tpm2bDigest(secret);
byte[] cvTpm2B = Marshaller.GetTpmRepresentation(cvx);
SymDefObject symDef = TssObject.GetSymDef(this);
byte[] symKey = KDF.KDFa(nameAlg, seed, "STORAGE", nameOfKeyToBeActivated, new byte[0], symDef.KeyBits);
byte[] encIdentity;
using (SymmCipher symm2 = SymmCipher.Create(symDef, symKey))
{
encIdentity = symm2.Encrypt(cvTpm2B);
}
var hmacKeyBits = CryptoLib.DigestSize(nameAlg);
byte[] hmacKey = KDF.KDFa(nameAlg, seed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits * 8);
byte[] outerHmac = CryptoLib.HmacData(nameAlg,
hmacKey,
Globs.Concatenate(encIdentity, nameOfKeyToBeActivated));
byte[] activationBlob = Globs.Concatenate(
Marshaller.ToTpm2B(outerHmac),
encIdentity);
encryptedSecret = encSecret;
return(activationBlob);
}
internal byte[] ParmEncrypt(byte[] parm, Direction inOrOut)
{
if (Symmetric == null)
{
Globs.Throw("parameter encryption cipher not defined");
return(parm);
}
if (Symmetric.Algorithm == TpmAlgId.Null)
{
return(parm);
}
byte[] nonceNewer, nonceOlder;
if (inOrOut == Direction.Command)
{
nonceNewer = NonceCaller;
nonceOlder = NonceTpm;
}
else
{
nonceNewer = NonceTpm;
nonceOlder = NonceCaller;
}
byte[] encKey = (AuthHandle != null && AuthHandle.Auth != null)
? SessionKey.Concat(Globs.TrimTrailingZeros(AuthHandle.Auth)).ToArray()
: SessionKey;
if (Symmetric.Algorithm == TpmAlgId.Xor)
{
return(CryptoLib.KdfThenXor(AuthHash, encKey, nonceNewer, nonceOlder, parm));
}
int keySize = (Symmetric.KeyBits + 7) / 8,
blockSize = SymmCipher.GetBlockSize(Symmetric),
bytesRequired = keySize + blockSize;
byte[] keyInfo = KDF.KDFa(AuthHash, encKey, "CFB", nonceNewer, nonceOlder, bytesRequired * 8);
var key = new byte[keySize];
Array.Copy(keyInfo, 0, key, 0, keySize);
var iv = new byte[blockSize];
Array.Copy(keyInfo, keySize, iv, 0, blockSize);
// Make a new SymmCipher from the key and IV and do the encryption.
using (SymmCipher s = SymmCipher.Create(Symmetric, key, iv))
{
return(inOrOut == Direction.Command ? s.Encrypt(parm) : s.Decrypt(parm));
}
}
/// <summary>
/// Create an enveloped (encrypted and integrity protected) private area from a provided sensitive.
/// </summary>
/// <param name="iv"></param>
/// <param name="sens"></param>
/// <param name="nameHash"></param>
/// <param name="publicName"></param>
/// <param name="symWrappingAlg"></param>
/// <param name="symKey"></param>
/// <param name="parentNameAlg"></param>
/// <param name="parentSeed"></param>
/// <param name="f"></param>
/// <returns></returns>
public static byte[] CreatePrivateFromSensitive(
SymDefObject symWrappingAlg,
byte[] symKey,
byte[] iv,
Sensitive sens,
TpmAlgId nameHash,
byte[] publicName,
TpmAlgId parentNameAlg,
byte[] parentSeed,
TssObject.Transformer f = null)
{
// ReSharper disable once InconsistentNaming
byte[] tpm2bIv = Marshaller.ToTpm2B(iv);
Transform(tpm2bIv, f);
byte[] sensitive = sens.GetTpmRepresentation();
Transform(sensitive, f);
// ReSharper disable once InconsistentNaming
byte[] tpm2bSensitive = Marshaller.ToTpm2B(sensitive);
Transform(tpm2bSensitive, f);
byte[] encSensitive = SymmCipher.Encrypt(symWrappingAlg, symKey, iv, tpm2bSensitive);
Transform(encSensitive, f);
byte[] decSensitive = SymmCipher.Decrypt(symWrappingAlg, symKey, iv, encSensitive);
Debug.Assert(f != null || Globs.ArraysAreEqual(decSensitive, tpm2bSensitive));
var hmacKeyBits = CryptoLib.DigestSize(parentNameAlg) * 8;
byte[] hmacKey = KDF.KDFa(parentNameAlg, parentSeed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits);
Transform(hmacKey, f);
byte[] dataToHmac = Marshaller.GetTpmRepresentation(tpm2bIv,
encSensitive,
publicName);
Transform(dataToHmac, f);
byte[] outerHmac = CryptoLib.HmacData(parentNameAlg, hmacKey, dataToHmac);
Transform(outerHmac, f);
byte[] priv = Marshaller.GetTpmRepresentation(Marshaller.ToTpm2B(outerHmac),
tpm2bIv,
encSensitive);
Transform(priv, f);
return(priv);
}
/// <summary>
/// Creates a duplication blob for the current key that can be Imported as a child
/// of newParent. Three forms are possible. GetPlaintextDuplicationBlob() allows
/// plaintext-import. This function enables duplication with and without an
/// inner wrapper (depending on whether innerWrapper is null)
/// </summary>
/// <param name="newParent"></param>
/// <param name="innerWrapper"></param>
/// <param name="encryptedWrappingKey"></param>
/// <returns></returns>
public TpmPrivate GetDuplicationBlob(
TpmPublic newParent,
SymmCipher innerWrapper,
out byte[] encryptedWrappingKey)
{
byte[] encSensitive;
if (innerWrapper == null)
{
// No inner wrapper
encSensitive = Marshaller.ToTpm2B(sensitivePart.GetTpmRepresentation());
}
else
{
byte[] sens = Marshaller.ToTpm2B(sensitivePart.GetTpmRepresentation());
byte[] toHash = Globs.Concatenate(sens, GetName());
byte[] innerIntegrity = Marshaller.ToTpm2B(CryptoLib.HashData(publicPart.nameAlg, toHash));
byte[] innerData = Globs.Concatenate(innerIntegrity, sens);
encSensitive = innerWrapper.Encrypt(innerData);
}
byte[] seed, encSecret;
SymDefObject symDef = GetSymDef(newParent);
using (AsymCryptoSystem newParentPubKey = AsymCryptoSystem.CreateFrom(newParent))
{
switch (newParent.type)
{
case TpmAlgId.Rsa:
// The seed should be the same size as the symmKey
seed = Globs.GetRandomBytes((symDef.KeyBits + 7) / 8);
encSecret = newParentPubKey.EncryptOaep(seed, DuplicateEncodingParms);
break;
case TpmAlgId.Ecc:
EccPoint pubEphem;
seed = newParentPubKey.EcdhGetKeyExchangeKey(DuplicateEncodingParms,
newParent.nameAlg,
out pubEphem);
encSecret = Marshaller.GetTpmRepresentation(pubEphem);
break;
default:
Globs.Throw <NotImplementedException>("GetDuplicationBlob: Unsupported algorithm");
encryptedWrappingKey = new byte[0];
return(new TpmPrivate());
}
}
encryptedWrappingKey = encSecret;
byte[] symKey = KDF.KDFa(newParent.nameAlg, seed, "STORAGE", publicPart.GetName(), new byte[0], symDef.KeyBits);
byte[] dupSensitive;
using (SymmCipher enc2 = SymmCipher.Create(symDef, symKey))
{
dupSensitive = enc2.Encrypt(encSensitive);
}
var npNameNumBits = CryptoLib.DigestSize(newParent.nameAlg) * 8;
byte[] hmacKey = KDF.KDFa(newParent.nameAlg, seed, "INTEGRITY", new byte[0], new byte[0], npNameNumBits);
byte[] outerDataToHmac = Globs.Concatenate(dupSensitive, publicPart.GetName());
byte[] outerHmac = Marshaller.ToTpm2B(CryptoLib.HmacData(newParent.nameAlg, hmacKey, outerDataToHmac));
byte[] dupBlob = Globs.Concatenate(outerHmac, dupSensitive);
return(new TpmPrivate(dupBlob));
}
/// <summary>
/// Creates a duplication blob for the current key that can be Imported as a child
/// of newParent. Three forms are possible. GetPlaintextDuplicationBlob() allows
/// plaintext-import. This function enables duplication with and without an
/// inner wrapper (depending on whether innerWrapper is null)
/// </summary>
/// <param name="newParent"></param>
/// <param name="innerWrapper"></param>
/// <param name="encryptedWrappingKey"></param>
/// <returns></returns>
public TpmPrivate GetDuplicationBlob(
TpmPublic newParent,
SymmCipher innerWrapper,
out byte[] encryptedWrappingKey)
{
byte[] encSensitive;
if (innerWrapper == null)
{
// No inner wrapper
encSensitive = Marshaller.ToTpm2B(sensitivePart.GetTpmRepresentation());
Transform(encSensitive);
}
else
{
byte[] sens = Marshaller.ToTpm2B(sensitivePart.GetTpmRepresentation());
byte[] toHash = Globs.Concatenate(sens, GetName());
Transform(toHash);
byte[] innerIntegrity = Marshaller.ToTpm2B(CryptoLib.HashData(publicPart.nameAlg, toHash));
byte[] innerData = Globs.Concatenate(innerIntegrity, sens);
Transform(innerData);
encSensitive = innerWrapper.CFBEncrypt(innerData);
Transform(encSensitive);
}
byte[] seed, encSecret;
SymDefObject symDef = GetSymDef(newParent);
using (AsymCryptoSystem newParentPubKey = AsymCryptoSystem.CreateFrom(newParent))
{
switch (newParent.type)
{
case TpmAlgId.Rsa:
// The seed should be the same size as the symmKey
seed = Globs.GetRandomBytes((symDef.KeyBits + 7) / 8);
encSecret = newParentPubKey.EncryptOaep(seed, DuplicateEncodingParms);
break;
case TpmAlgId.Ecc:
EccPoint pubEphem;
seed = newParentPubKey.EcdhGetKeyExchangeKey(DuplicateEncodingParms,
newParent.nameAlg,
out pubEphem);
encSecret = Marshaller.GetTpmRepresentation(pubEphem);
break;
default:
throw new NotImplementedException("activate crypto scheme not implemented");
}
}
Transform(seed);
Transform(encSecret);
encryptedWrappingKey = encSecret;
byte[] symKey = KDF.KDFa(newParent.nameAlg, seed, "STORAGE", publicPart.GetName(), new byte[0], symDef.KeyBits);
Transform(symKey);
byte[] dupSensitive;
using (SymmCipher enc2 = SymmCipher.Create(symDef, symKey))
{
dupSensitive = enc2.CFBEncrypt(encSensitive);
}
Transform(dupSensitive);
int npNameNumBits = CryptoLib.DigestSize(newParent.nameAlg) * 8;
byte[] hmacKey = KDF.KDFa(newParent.nameAlg, seed, "INTEGRITY", new byte[0], new byte[0], (uint)npNameNumBits);
byte[] outerDataToHmac = Globs.Concatenate(dupSensitive, publicPart.GetName());
Transform(outerDataToHmac);
byte[] outerHmac = Marshaller.ToTpm2B(CryptoLib.HmacData(newParent.nameAlg, hmacKey, outerDataToHmac));
Transform(outerHmac);
byte[] dupBlob = Globs.Concatenate(outerHmac, dupSensitive);
Transform(dupBlob);
return new TpmPrivate(dupBlob);
}
/// <summary>
/// Create a new SymmCipher object with a random key based on the alg and mode supplied.
/// </summary>
/// <param name="algId"></param>
/// <param name="numBits"></param>
/// <param name="mode"></param>
/// <returns></returns>
public static SymmCipher Create(SymDefObject symDef = null, byte[] keyData = null, byte[] iv = null)
{
if (symDef == null)
{
symDef = new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb);
}
#if TSS_USE_BCRYPT
BCryptAlgorithm alg = null;
switch (symDef.Algorithm)
{
case TpmAlgId.Aes:
alg = new BCryptAlgorithm(Native.BCRYPT_AES_ALGORITHM);
break;
case TpmAlgId.Tdes:
alg = new BCryptAlgorithm(Native.BCRYPT_3DES_ALGORITHM);
break;
default:
Globs.Throw <ArgumentException>("Unsupported symmetric algorithm " + symDef.Algorithm);
break;
}
if (keyData == null)
{
keyData = Globs.GetRandomBytes(symDef.KeyBits / 8);
}
var key = alg.GenerateSymKey(symDef, keyData, GetBlockSize(symDef));
//key = BCryptInterface.ExportSymKey(keyHandle);
//keyHandle = alg.LoadSymKey(key, symDef, GetBlockSize(symDef));
alg.Close();
return(key == null ? null : new SymmCipher(key, keyData, iv));
#else
SymmetricAlgorithm alg = null; // = new RijndaelManaged();
bool limitedSupport = false;
// DES and __3DES are not supported in TPM 2.0 rev. 0.96 to 1.30
switch (symDef.Algorithm)
{
case TpmAlgId.Aes:
alg = new RijndaelManaged();
break;
case TpmAlgId.Tdes:
alg = new TripleDESCryptoServiceProvider();
limitedSupport = true;
break;
default:
Globs.Throw <ArgumentException>("Unsupported symmetric algorithm " + symDef.Algorithm);
break;
}
int blockSize = GetBlockSize(symDef);
alg.KeySize = symDef.KeyBits;
alg.BlockSize = blockSize * 8;
alg.Padding = PaddingMode.None;
alg.Mode = GetCipherMode(symDef.Mode);
// REVISIT: Get this right for other modes
if (symDef.Algorithm == TpmAlgId.Tdes && symDef.Mode == TpmAlgId.Cfb)
{
alg.FeedbackSize = 8;
}
else
{
alg.FeedbackSize = alg.BlockSize;
}
if (keyData == null)
{
// Generate random key
alg.IV = Globs.GetZeroBytes(blockSize);
try
{
alg.GenerateKey();
}
catch (Exception)
{
alg.Dispose();
throw;
}
}
else
{
// Use supplied key bits
alg.Key = keyData;
if (iv == null)
{
iv = Globs.GetZeroBytes(blockSize);
}
else if (iv.Length != blockSize)
{
Array.Resize(ref iv, blockSize);
}
alg.IV = iv;
}
var symCipher = new SymmCipher(alg);
symCipher.LimitedSupport = limitedSupport;
return(symCipher);
#endif
}
/// <summary>
/// Create a new SymmCipher object with a random key based on the alg and mode supplied.
/// </summary>
/// <param name="algId"></param>
/// <param name="numBits"></param>
/// <param name="mode"></param>
/// <returns></returns>
public static SymmCipher Create(SymDefObject symDef = null, byte[] keyData = null, byte[] iv = null)
{
if (symDef == null)
{
symDef = new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb);
}
#if TSS_USE_BCRYPT
BCryptAlgorithm alg = null;
switch (symDef.Algorithm)
{
case TpmAlgId.Aes:
alg = new BCryptAlgorithm(Native.BCRYPT_AES_ALGORITHM);
break;
case TpmAlgId.Tdes:
alg = new BCryptAlgorithm(Native.BCRYPT_3DES_ALGORITHM);
break;
default:
Globs.Throw<ArgumentException>("Unsupported symmetric algorithm " + symDef.Algorithm);
break;
}
if (keyData == null)
{
keyData = Globs.GetRandomBytes(symDef.KeyBits / 8);
}
var key = alg.GenerateSymKey(symDef, keyData, GetBlockSize(symDef));
//key = BCryptInterface.ExportSymKey(keyHandle);
//keyHandle = alg.LoadSymKey(key, symDef, GetBlockSize(symDef));
alg.Close();
return key == null ? null : new SymmCipher(key, keyData, iv);
#else
SymmetricAlgorithm alg = null; // = new RijndaelManaged();
bool limitedSupport = false;
// DES and __3DES are not supported in TPM 2.0 rev. 0.96 to 1.30
switch (symDef.Algorithm) {
case TpmAlgId.Aes:
alg = new RijndaelManaged();
break;
case TpmAlgId.Tdes:
alg = new TripleDESCryptoServiceProvider();
limitedSupport = true;
break;
default:
Globs.Throw<ArgumentException>("Unsupported symmetric algorithm " + symDef.Algorithm);
break;
}
int blockSize = GetBlockSize(symDef);
alg.KeySize = symDef.KeyBits;
alg.BlockSize = blockSize * 8;
alg.Padding = PaddingMode.None;
alg.Mode = GetCipherMode(symDef.Mode);
// REVISIT: Get this right for other modes
if (symDef.Algorithm == TpmAlgId.Tdes && symDef.Mode == TpmAlgId.Cfb)
{
alg.FeedbackSize = 8;
}
else
{
alg.FeedbackSize = alg.BlockSize;
}
if (keyData == null)
{
// Generate random key
alg.IV = Globs.GetZeroBytes(blockSize);
try
{
alg.GenerateKey();
}
catch (Exception)
{
alg.Dispose();
throw;
}
}
else
{
// Use supplied key bits
alg.Key = keyData;
if (iv == null)
{
iv = Globs.GetZeroBytes(blockSize);
}
else if (iv.Length != blockSize)
{
Array.Resize(ref iv, blockSize);
}
alg.IV = iv;
}
var symCipher = new SymmCipher(alg);
symCipher.LimitedSupport = limitedSupport;
return symCipher;
#endif
}
