private static AuthHandle EstablishOIAP(TPMWrapper tpm) { ILog log = LogManager.GetLogger("EstablishOIAP"); for (int i = 0; i < 2; i++) { TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters()); TPMCommandResponse response = tpm.Process(request); AuthHandle myAuthHandle = response.Parameters.GetValueOf <AuthHandle> ("auth_handle"); // Parameters parameters = new Parameters (); // parameters.AddValue ("handle", myAuthHandle); // TPMCommandRequest requestFlush = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FLUSH_SPECIFIC, parameters); // tpm.Process (requestFlush); //return myAuthHandle; } Parameters listHandlesParameters = new Parameters(); listHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE); listHandlesParameters.AddPrimitiveType("handle_type", TPMResourceType.TPM_RT_AUTH); TPMCommandRequest listHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listHandlesParameters); TPMCommandResponse listHandlesResponse = tpm.Process(listHandlesRequest); HandleList loadedKeyHandles = listHandlesResponse.Parameters.GetValueOf <HandleList> ("handles"); return(null); }
private static void ReadPCRs(TPMWrapper tpm) { uint i = 0; ILog log = LogManager.GetLogger("ReadPCRs"); Parameters param = new Parameters(); param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY); param.AddPrimitiveType("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR); TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param); TPMCommandResponse response = tpm.Process(request); uint maxPcrs = response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR); for (i = 0; i < maxPcrs; ++i) { param = new Parameters(); param.AddPrimitiveType("pcrnum", i); TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, param); TPMCommandResponse resp = tpm.Process(req); byte[] val = resp.Parameters.GetValueOf <byte[]>("value"); log.InfoFormat("Answer for PCR {0} is: 0x{1}", resp.Parameters.GetValueOf <UInt32>("pcrnum"), ByteHelper.ByteArrayToHexString(val)); } // TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, null); // TPMCommand com = TPMCommandFactory.Create(req); // com.Init(param, tpm); // com.Process(); //Console.WriteLine ("Hello World!"); }
/// <summary> /// Seals data to the specified pcr selection, /// create a valid pcr selection with session.CreateEmptyPCRSelection /// </summary> /// <param name="pcrSelection"></param> /// <param name="data">Data to seal</param> /// <returns></returns> public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data) { Parameters paramsSeal = new Parameters(); paramsSeal.AddPrimitiveType("in_data", data); paramsSeal.AddPrimitiveType("key", _keyIdentifier); paramsSeal.AddValue("pcr_selection", pcrSelection); Parameters paramsSecret = new Parameters(); paramsSecret.AddPrimitiveType("identifier", KeyIdentifier); ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret)); if (authSeal.Hashed == false) { authSeal.Hash(); } authSeal.DecryptHash(); paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue); try { TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal); return(sealResponse.Parameters.GetValueOf <byte[]>("data")); } finally { if (authSeal != null) { authSeal.ClearHash(); } } }
/// <summary> /// Creates a new counter if possible. /// Creating a counter requires the owner password and also the secret_counter secret /// </summary> /// <param name="label">4 bytes to label the counter</param> /// <returns></returns> public CounterContext CreateCounter(byte[] label) { if (label.Length != 4) { throw new ArgumentException("label needs to be of size 4"); } ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters())); if (counterSecret.Hashed == false) { counterSecret.Hash(); } counterSecret.DecryptHash(); Parameters createCounterParams = new Parameters(); createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue); createCounterParams.AddPrimitiveType("label", label); return(new CounterContext(_tpmSession, _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams)) .Parameters.GetValueOf <uint>("counter_id") )); }
/// <summary> /// Reads the configured tpm devices from the configuration and /// sets up the corresponding tpm contexts /// </summary> private void SetupTPMContexts() { IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection("connections"); foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices) { try { _logger.InfoFormat("Setting up tpm context '{0}'", device.TPMName); TPMWrapper tpmDevice = new TPMWrapper(); tpmDevice.Init(device.TPMType, device.Parameters); TPMContext tpmContext = new TPMContext(device.TPMName, tpmDevice); _tpmContexts.Add(device.TPMName, tpmContext); _logger.InfoFormat("Flushing device '{0}'", device.TPMName); foreach (TPMResourceType resourceType in new TPMResourceType[] { TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY }) { Parameters listLoadedHandlesParameters = new Parameters(); listLoadedHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE); listLoadedHandlesParameters.AddPrimitiveType("handle_type", resourceType); TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listLoadedHandlesParameters); TPMCommandResponse response = tpmDevice.Process(listLoadedHandlesRequest); if (response.Status == false) { throw new Exception("An unknown tpm exception while flushing occured"); } foreach (uint handle in response.Parameters.GetValueOf <HandleList> ("handles")) { Parameters flushParameters = new Parameters(); flushParameters.AddValue("handle", HandleFactory.Create(resourceType, handle)); TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters); TPMCommandResponse flushResponse = tpmDevice.Process(flushRequest); if (flushResponse.Status == false) { throw new Exception("Something went wrong while flushing"); } } } _logger.InfoFormat("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType); } catch (Exception ex) { _logger.FatalFormat("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex); } ///Set the Assembly search order for incoming Parameters so that core classes are always at first Parameters.AssemblySearchOrder = new Assembly[] { typeof(TPMWrapper).Assembly, //lib core typeof(ITypedParameter).Assembly }; //lib common } }
/// <summary> /// The maximum number of keys the tpm can load at once /// </summary> /// <returns></returns> public uint GetMaxKeys() { Parameters parameters = new Parameters (); parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY); parameters.AddPrimitiveType ("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS); return this.BuildDoVerifyRequest (TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf<uint> (CapabilityData.PARAM_PROP_MAX_KEYS); }
/// <summary> /// The maximum number of keys the tpm can load at once /// </summary> /// <returns></returns> public uint GetMaxKeys() { Parameters parameters = new Parameters(); parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY); parameters.AddPrimitiveType("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS); return(this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf <uint> (CapabilityData.PARAM_PROP_MAX_KEYS)); }
/// <summary> /// Retrieves Version information of the TPM /// </summary> public CapabilityData.TPMCapVersionInfo GetTPMVersion() { Parameters parameters = new Parameters(); parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL); parameters.AddPrimitiveType("subCap", new byte[0]); return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf <CapabilityData.TPMCapVersionInfo> (CapabilityData.PARAM_TPM_VERSION_INFO)); }
/// <summary> /// Extends the specified pcr by the specified digest /// </summary> /// <param name="pcrIndex">The pcr to be extended</param> /// <param name="digest"></param> /// <returns>Returns the new value of the extended pcr</returns> public byte[] Extend(uint pcrIndex, byte[] digest) { Parameters extendParameters = new Parameters(); extendParameters.AddPrimitiveType("pcr", pcrIndex); extendParameters.AddPrimitiveType("digest", digest); return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Extend, extendParameters) .Parameters.GetValueOf<byte[]>("pcr_value"); }
/// <summary> /// Signs the specified data, but the data is already in the format the signature format (Attached to the key) requires it to be. /// </summary> /// <remarks> /// Use this for large amount of data, or use the <see>CreateSigner</see> method /// </remarks> /// <param name="data"></param> /// <returns></returns> public byte[] SignWithProperFormat(byte[] data) { Parameters signParameters = new Parameters(); signParameters.AddPrimitiveType("key", _keyIdentifier); signParameters.AddPrimitiveType("areaToSign", data); return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Sign, signParameters).Parameters.GetValueOf <byte[]>("sig")); }
/// <summary> /// Extends the specified pcr by the specified digest /// </summary> /// <param name="pcrIndex">The pcr to be extended</param> /// <param name="digest"></param> /// <returns>Returns the new value of the extended pcr</returns> public byte[] Extend(uint pcrIndex, byte[] digest) { Parameters extendParameters = new Parameters(); extendParameters.AddPrimitiveType("pcr", pcrIndex); extendParameters.AddPrimitiveType("digest", digest); return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Extend, extendParameters) .Parameters.GetValueOf <byte[]>("pcr_value")); }
/// <summary> /// Returns if the specified sizeIfSelect (= pcrcount / 8) is supported. /// This is used to create valid PCRSelection objects for this tpm /// </summary> /// <param name="size"> /// A <see cref="System.UInt16"/> /// </param> /// <returns> /// A <see cref="System.Boolean"/> /// </returns> public bool SupportsSizeOfPcr(ushort size) { Parameters parameters = new Parameters(); parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE); parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, size); return(this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters) .Parameters.GetValueOf <bool>(CapabilityData.PARAM_PROP_SELECT_SIZE)); }
/// <summary> /// Unbinds the specified data, the encrypted data needs to be /// of type TPMBoundData /// </summary> /// <param name="data"></param> /// <returns>Returns the decrypted data</returns> public byte[] Unbind(byte[] data) { Parameters paramsUnbind = new Parameters(); paramsUnbind.AddPrimitiveType("in_data", data); paramsUnbind.AddPrimitiveType("key", _keyIdentifier); TPMCommandResponse unbindResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unbind, paramsUnbind); return(unbindResponse.Parameters.GetValueOf <byte[]>("data")); }
private static void ReadCapabilities(TPMWrapper tpm) { ILog log = LogManager.GetLogger("ReadCapabilities"); // Read out each capability property foreach (CapabilityData.TPMSubCapProperty subCap in Enum.GetValues(typeof(CapabilityData.TPMSubCapProperty))) { Parameters param = new Parameters(); param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY); param.AddPrimitiveType("subCap", subCap); TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param); TPMCommandResponse response = tpm.Process(request); switch (subCap) { case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR: log.InfoFormat("Number of PCRs is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR)); break; //case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_DIR: // log.InfoFormat("Number of DIR is {0} and should be 1 because command is deprecated", response.Parameters.GetValueOf<uint>(CapabilityData.PARAM_PROP_DIR)); // break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MANUFACTURER: log.InfoFormat("Manufacturer ID is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MANUFACTURER)); break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_KEYS: log.InfoFormat("Number of free keyslots is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_KEYS)); break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS: log.InfoFormat("Number of max Auth Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_AUTHSESS)); break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS: log.InfoFormat("Number of max Trans Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_TRANSESS)); break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS: log.InfoFormat("Number of max keys (without EK and SRK) is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_KEYS)); break; case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS: log.InfoFormat("Number of max Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_SESSIONS)); break; default: throw new NotSupportedException("Defined cap or subcap are not supported"); } } }
/// <summary> /// Retrieves the index of the specified pcr /// </summary> /// <param name="pcrIndex"></param> /// <returns></returns> public byte[] PCRValue(uint pcrIndex) { Parameters pcrParams = new Parameters(); pcrParams.AddPrimitiveType("pcrnum", pcrIndex); return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams).Parameters.GetValueOf<byte[]>("value"); }
/// <summary> /// Invalidates the counter /// </summary> public void Release() { Parameters releaseCounterParams = new Parameters(); releaseCounterParams.AddPrimitiveType("counter_id", _counterId); _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_ReleaseCounter, releaseCounterParams)); }
/// <summary> /// Performs the actual swap-in operation /// </summary> /// <param name="item"></param> protected override void SwappedIn(AuthHandleItem item) { //uint oldHandle = item.AuthHandle.Handle; if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedOut) { throw new ArgumentException("Invalid auth handle state for swap in operation"); } using (new LockContext(_authHandles, "AuthHandleManager::SwappedIn")) { if (AvailableSessionSlots <= LoadedSessions) { SwapOut(); } Parameters swapInParameters = new Parameters(); swapInParameters.AddValue("handle", item.AuthHandle); swapInParameters.AddPrimitiveType("context_blob", item.AuthHandle.ContextBlob); TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters); TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest); if (swapInResponse.Status == false) { throw new TPMRequestException("Unknown error while swap in operation"); } item.AuthHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle; item.Status = AuthHandleItem.AuthHandleStatus.SwappedIn; } }
/// <summary> /// Unseals the specified data /// </summary> /// <param name="data">Data to seal</param> /// <returns></returns> public byte[] Unseal(byte[] data) { Parameters paramsSeal = new Parameters(); paramsSeal.AddPrimitiveType("in_data", data); paramsSeal.AddPrimitiveType("key", _keyIdentifier); Parameters paramsSecret = new Parameters(); paramsSecret.AddPrimitiveType("identifier", KeyIdentifier); TPMCommandResponse unsealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unseal, paramsSeal); return(unsealResponse.Parameters.GetValueOf <byte[]>("data")); }
/// <summary> /// Performs the actual swap-in operation /// </summary> /// <param name="item"></param> protected override void SwappedIn(KeyHandleItem item) { if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedOut) { throw new ArgumentException("Invalid key handle state for swap in operation"); } if (AvailableKeySlots <= LoadedKeys) { SwapOut(); } Parameters swapInParameters = new Parameters(); swapInParameters.AddValue("handle", item.KeyHandle); swapInParameters.AddPrimitiveType("context_blob", item.KeyHandle.ContextBlob); TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters); TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest); if (swapInResponse.Status == false) { throw new TPMRequestException("Keymanager: Unknown error while swap in operation"); } item.KeyHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle; }
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum) { if (authSessionNum == AuthSessionNum.Auth1) { string keyIdentifier = _params.GetValueOf <string>("key"); Parameters parameters = new Parameters(); parameters.AddPrimitiveType("identifier", keyIdentifier); return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters)); } else if (authSessionNum == AuthSessionNum.Auth2) { string identifier = _params.GetValueOf <string>("key"); Parameters parameters = new Parameters(); parameters.AddPrimitiveType("identifier", identifier); return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, parameters)); } else { return(null); } }
public override TPMCommandResponse Process() { //We don't have any meaningful labeldata we could include, //so generate some random byte[] labelData = new byte[16]; Random r = new Random(); r.NextBytes(labelData); if(_params.IsDefined<ITPMHandle>("handle") == false) return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_SaveContext, new Parameters()); ITPMHandle handle = _params.GetValueOf<ITPMHandle>("handle"); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_SaveContext); requestBlob.WriteUInt32(handle.Handle); requestBlob.WriteUInt32((uint)handle.ResourceType); requestBlob.Write(labelData, 0, labelData.Length); TPMBlob responseBlob = TransmitMe(requestBlob); responseBlob.SkipHeader(); uint blobSize = responseBlob.ReadUInt32(); byte[] contextBlob = responseBlob.ReadBytes((int)blobSize); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("context_blob", contextBlob); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_SaveContext, responseParams); }
/// <summary> /// Retrieves the index of the specified pcr /// </summary> /// <param name="pcrIndex"></param> /// <returns></returns> public byte[] PCRValue(uint pcrIndex) { Parameters pcrParams = new Parameters(); pcrParams.AddPrimitiveType("pcrnum", pcrIndex); return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams).Parameters.GetValueOf <byte[]>("value")); }
/// <summary> /// Cryptographically reports the selected PCR values and returns /// the TPMPCRComposite and the generated signature. If no /// external data is supplied a random nonce is generated on the server. /// The length of externalData is defined by the hashing algorithm used by the TPM /// </summary> /// <param name="pcrs"></param> /// <param name="externalData">Nonce used for the quoting operation, /// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value /// with the correct length</param> /// <returns></returns> public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData) { Parameters quoteParameters = new Parameters(); quoteParameters.AddPrimitiveType("key", _keyIdentifier); quoteParameters.AddValue("targetPCR", pcrs); if (externalData != null) { quoteParameters.AddPrimitiveType("externalData", externalData); } TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters); return(new QuoteResponse(response.Parameters.GetValueOf <TPMPCRComposite>("pcrData"), response.Parameters.GetValueOf <byte[]>("sig"))); }
/// <summary> /// Increments the current counter value and returns the new counter value /// </summary> /// <returns></returns> public uint Increment() { Parameters incCounterParams = new Parameters(); incCounterParams.AddPrimitiveType("counter_id", _counterId); return(_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_IncrementCounter, incCounterParams)) .Parameters.GetValueOf <TPMCounterValue>("counter_value").CounterValue); }
public override TPMCommandResponse Process() { TPMBlob requestBlob = new TPMBlob (); requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_PcrRead); requestBlob.WriteUInt32 ((uint)_register); requestBlob.WriteCmdSize (); TPMBlob responseBlob = TransmitMe (requestBlob); Parameters responseParam = new Parameters(); byte[] val = responseBlob.ReadBytes(20); responseParam.AddPrimitiveType("pcrnum", _register); responseParam.AddPrimitiveType("value", val); TPMCommandResponse response = new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_PCRRead, responseParam); return response; }
/// <summary> /// Creates a new counter if possible. /// Creating a counter requires the owner password and also the secret_counter secret /// </summary> /// <param name="label">4 bytes to label the counter</param> /// <returns></returns> public CounterContext CreateCounter(byte[] label) { if(label.Length != 4) throw new ArgumentException("label needs to be of size 4"); ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters())); if(counterSecret.Hashed == false) counterSecret.Hash(); counterSecret.DecryptHash(); Parameters createCounterParams = new Parameters(); createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue); createCounterParams.AddPrimitiveType("label", label); return new CounterContext(_tpmSession, _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams)) .Parameters.GetValueOf<uint>("counter_id") ); }
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum) { if (authSessionNum != AuthSessionNum.Auth1) { return(null); } Parameters hmacKeyInfoParams = new Parameters(); hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("key")); return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams)); }
public override TPMCommandResponse Process() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_PcrRead); requestBlob.WriteUInt32((uint)_register); requestBlob.WriteCmdSize(); TPMBlob responseBlob = TransmitMe(requestBlob); Parameters responseParam = new Parameters(); byte[] val = responseBlob.ReadBytes(20); responseParam.AddPrimitiveType("pcrnum", _register); responseParam.AddPrimitiveType("value", val); TPMCommandResponse response = new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_PCRRead, responseParam); return(response); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _encAuth = _params.GetValueOf <byte[]> ("data_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_encAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf <string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_encAuth, 0, 20); TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams)); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_LoadKey2); //If not loaded load now if (_params.GetValueOf <bool>("parent_key_srk") == false) { _keyManager.LoadKey(_params.GetValueOf <string>("parent_identifier")); } //To be inserted later requestBlob.WriteUInt32(0); _tpmKey.WriteToTpmBlob(requestBlob); //Blocking authorize, blocks till the user has entered the authorization data AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { _keyManager.EnsureFreeSlot(); uint tpmKeyHandle; if (_params.GetValueOf <bool>("parent_key_srk")) { tpmKeyHandle = (uint)TPMKeyHandles.TPM_KH_SRK; } else { tpmKeyHandle = _keyManager.IdentifierToHandle(_params.GetValueOf <string>("parent_identifier")).Handle; } //Write key handle to the first position after the header requestBlob.SkipHeader(); requestBlob.WriteUInt32(tpmKeyHandle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint loadedTpmHandle = _responseBlob.ReadUInt32(); KeyHandle loadedHandle = new KeyHandle(_params.GetValueOf <string>("key_identifier"), loadedTpmHandle); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("handle", loadedHandle); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadKey2, _responseParameters)); }
public void TakeOwnership(ProtectedPasswordStorage ownerSecret, ProtectedPasswordStorage srkSecret) { _tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_OWNER, ownerSecret); _tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_SRK, srkSecret); IAsymmetricBlockCipher ekEncryptor = _tpmSession.EndorsementKeyHandling.PublicKey.CreateRSAEncrypter(); ownerSecret.DecryptHash(); byte[] encOwnerSecret = ekEncryptor.ProcessBlock(ownerSecret.HashValue, 0, ownerSecret.HashValue.Length); ownerSecret.ClearHash(); srkSecret.DecryptHash(); byte[] encSrkSecret = ekEncryptor.ProcessBlock(srkSecret.HashValue, 0, srkSecret.HashValue.Length); srkSecret.ClearHash(); Parameters parameters = new Parameters(); parameters.AddPrimitiveType(PARAM_OWNERAUTH, encOwnerSecret); parameters.AddPrimitiveType(PARAM_SRKAUTH, encSrkSecret); /*TPMCommandResponse response = */ BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_TakeOwnership, parameters); }
public void Init(bool forEncryption, ICipherParameters parameters) { _forEncryption = forEncryption; if (forEncryption) { _encryptor = _keyHandle.PublicKey.CreateRSAEncrypter(); Parameters bindParameters = new Parameters(); bindParameters.AddPrimitiveType("type", "request_prefix"); TPMCommandRequest bindPrefixRequest = new TPMCommandRequest( TPMCommandNames.TPM_CMD_Bind, bindParameters); _prefix = _session.DoTPMCommandRequest(bindPrefixRequest).Parameters.GetValueOf <byte[]>("prefix"); } }
public override TPMCommandResponse Process() { using(TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetRandom); requestBlob.WriteUInt32(_params.GetValueOf<uint>("bytes_requested")); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); uint responseByteSize = _responseBlob.ReadUInt32(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("data", _responseBlob.ReadBytes((int)responseByteSize)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetRandom, _responseParameters); }
public override TPMCommandResponse Process() { using (TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetRandom); requestBlob.WriteUInt32(_params.GetValueOf <uint>("bytes_requested")); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); uint responseByteSize = _responseBlob.ReadUInt32(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("data", _responseBlob.ReadBytes((int)responseByteSize)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetRandom, _responseParameters)); }
public override TPMCommandResponse Process() { using(TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter); requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id")); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf<uint>("counter_id")); _responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters); }
public override TPMCommandResponse Process() { using (TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter); requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id")); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf <uint>("counter_id")); _responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters)); }
protected override TPMCommandResponse InternalProcess() { using (TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter); requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id")); _responseBlob = AuthorizeMeAndTransmit(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32()); _responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob)); return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters)); }
public override TPMCommandResponse Process() { if(_params.GetValueOf<string>("type", "") == "request_prefix") { TPMBoundDataCore boundData = TPMBoundDataCore.Encapsulate(new byte[0]); _responseParameters = new Parameters(); using(TPMBlob blob = new TPMBlob()) { boundData.WriteToTpmBlob(blob); _responseParameters.AddPrimitiveType("prefix", blob.ToArray()); } return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Bind, _responseParameters); } else throw new ArgumentException("TPM_Bind: did not find valid type"); }
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum) { if (authSessionNum != AuthSessionNum.Auth1) { return(null); } if (_params.GetValueOf <bool>("parent_key_srk")) { return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters())); } else { Parameters hmacKeyInfoParams = new Parameters(); hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("parent_identifier")); return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams)); } }
public override TPMCommandResponse Process() { using(TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_Extend); requestBlob.WriteUInt32(_params.GetValueOf<uint>("pcr")); byte[] digest = _params.GetValueOf<byte[]>("digest"); if(digest.Length != 20) throw new ArgumentException("Digest needs to be of length '20'"); requestBlob.Write(digest, 0, digest.Length); _responseBlob = TransmitMe(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("pcr_value", _responseBlob.ReadBytes(20)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Extend, _responseParameters); }
protected override double Sample() { Parameters getRandomParameters = new Parameters(); getRandomParameters.AddPrimitiveType("bytes_requested", (uint)4); byte[] randomBytes = _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetRandom, getRandomParameters)) .Parameters.GetValueOf<byte[]>("data"); byte[] realData; if(randomBytes.Length <4) { Console.WriteLine("Requested 4 received {0}", randomBytes.Length); realData = new byte[4]; Array.Copy(randomBytes, 0, realData, 0, randomBytes.Length); } else realData = randomBytes; UInt32 randomVal = BitConverter.ToUInt32(realData, 0); return (double)randomVal/(double)UInt32.MaxValue; }
protected override TPMCommandResponse InternalProcess() { //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_UnBind); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint dataSize = _responseBlob.ReadUInt32(); byte[] responseData = new byte[dataSize]; _responseBlob.Read(responseData, 0, responseData.Length); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", responseData); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Unbind, responseParams); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _usageAuth = _params.GetValueOf<byte[]> ("usage_auth"); _migrationAuth = _params.GetValueOf<byte[]> ("migration_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_usageAuth, xorKey); ByteHelper.XORBytes(_migrationAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("parent")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey); //parent key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_usageAuth, 0, 20); requestBlob.Write(_migrationAuth, 0, 20); _tpmKey.WriteToTpmBlob(requestBlob); using(_keyManager.AcquireLock()) { AuthorizeMe(requestBlob); requestBlob.SkipHeader(); if(_params.GetValueOf<string>("parent") == KeyHandle.KEY_SRK) requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK); else requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMKeyCore newKey = new TPMKeyCore(_responseBlob); _responseParameters = new Parameters(); //Build and save the key identifier //The key identifier is the hex-string representation of the hash of the newly created key _responseParameters.AddPrimitiveType("key_identifier", ByteHelper.ByteArrayToHexString( new HashProvider().Hash( new HashByteDataProvider( ByteHelper.SerializeToBytes(newKey) ) ), "")); _responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters); }
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum) { if(authSessionNum != AuthSessionNum.Auth1) return null; string parentIdentifier = _params.GetValueOf<string>("parent"); if(parentIdentifier == KeyHandle.KEY_SRK) return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()); else { Parameters parameters = new Parameters(); parameters.AddPrimitiveType("identifier", parentIdentifier); return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters); } }
/// <summary> /// Cryptographically reports the selected PCR values and returns /// the TPMPCRComposite and the generated signature. If no /// external data is supplied a random nonce is generated on the server. /// The length of externalData is defined by the hashing algorithm used by the TPM /// </summary> /// <param name="pcrs"></param> /// <param name="externalData">Nonce used for the quoting operation, /// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value /// with the correct length</param> /// <returns></returns> public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData) { Parameters quoteParameters = new Parameters(); quoteParameters.AddPrimitiveType("key", _keyIdentifier); quoteParameters.AddValue("targetPCR", pcrs); if(externalData != null) quoteParameters.AddPrimitiveType("externalData", externalData); TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters); return new QuoteResponse(response.Parameters.GetValueOf<TPMPCRComposite>("pcrData"), response.Parameters.GetValueOf<byte[]>("sig")); }
public ClientKeyHandle CreateKey(string friendlyName, uint keyLength, TPMKeyUsage keyUsage, TPMKeyFlags keyFlags) { Parameters paramsCreateWrapKey = new Parameters(); paramsCreateWrapKey.AddPrimitiveType("parent", KeyIdentifier); paramsCreateWrapKey.AddPrimitiveType("key_usage", keyUsage); paramsCreateWrapKey.AddPrimitiveType("key_flags", keyFlags); paramsCreateWrapKey.AddPrimitiveType("key_length", keyLength); paramsCreateWrapKey.AddPrimitiveType("exponent", new byte[0]); paramsCreateWrapKey.AddPrimitiveType("num_primes", (uint)0); if (keyUsage == TPMKeyUsage.TPM_KEY_SIGNING) { paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_NONE); paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1); } else { paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1); paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_NONE); } Parameters parameters = new Parameters(); parameters.AddPrimitiveType("identifierIsFriendlyName", true); parameters.AddPrimitiveType("identifier", friendlyName); ProtectedPasswordStorage authUsage = _tpmSession.RequestSecret( new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters)); if(authUsage.Hashed == false) authUsage.Hash(); authUsage.DecryptHash(); paramsCreateWrapKey.AddPrimitiveType("usage_auth", authUsage.HashValue); ProtectedPasswordStorage authMigration = null; if((keyFlags & TPMKeyFlags.Migratable) == TPMKeyFlags.Migratable) { authMigration = _tpmSession.RequestSecret( new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyMigrationSecret, parameters)); authMigration.DecryptHash(); paramsCreateWrapKey.AddPrimitiveType("migration_auth", authMigration.HashValue); } else paramsCreateWrapKey.AddPrimitiveType("migration_auth", new byte[20]); try { TPMCommandResponse responseCreateWrapKey = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_CreateWrapKey, paramsCreateWrapKey); _tpmSession.Keystore.AddKey( friendlyName, responseCreateWrapKey.Parameters.GetValueOf<string>("key_identifier"), this.FriendlyName, responseCreateWrapKey.Parameters.GetValueOf<byte[]>("key_data")); return new ClientKeyHandle(friendlyName, responseCreateWrapKey.Parameters.GetValueOf<string>("key_identifier"), _tpmSession); } finally { if(authMigration != null) authMigration.ClearHash(); if(authUsage != null) authUsage.ClearHash(); } }
/// <summary> /// Unseals the specified data /// </summary> /// <param name="data">Data to seal</param> /// <returns></returns> public byte[] Unseal(byte[] data) { Parameters paramsSeal = new Parameters(); paramsSeal.AddPrimitiveType("in_data", data); paramsSeal.AddPrimitiveType("key", _keyIdentifier); Parameters paramsSecret = new Parameters(); paramsSecret.AddPrimitiveType("identifier", KeyIdentifier); TPMCommandResponse unsealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unseal, paramsSeal); return unsealResponse.Parameters.GetValueOf<byte[]>("data"); }
protected override TPMCommandResponse InternalProcess() { using(TPMBlob requestBlob = new TPMBlob()) { requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter); requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id")); _responseBlob = AuthorizeMeAndTransmit(requestBlob); } _responseBlob.SkipHeader(); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32()); _responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_nonce, 0, 20); _pcrSelection.WriteToTpmBlob(requestBlob); _keyManager.LoadKey(_params.GetValueOf<string>("key")); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); // Do signature verification TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce); byte[] signingData; using (TPMBlob blob = new TPMBlob()) { quoteInfo.WriteToTpmBlob(blob); signingData = blob.ToArray(); } Parameters pubKeyParams = new Parameters(); pubKeyParams.AddPrimitiveType("key", _params.GetValueOf<string>("key")); TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams); TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest, _commandAuthHelper, _keyManager); if (pubKeyResponse.Status == false) { _log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key"); return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()); } TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf<string>("key"))); TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf<TPMPubkey>("pubkey"); if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false) { throw new ArgumentException("The TPM_Quote signature could not be verified"); } Parameters responseParams = new Parameters(); responseParams.AddValue("pcrData", pcrComposite); responseParams.AddPrimitiveType("sig", signature); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams); }
/// <summary> /// Retrieves Version information of the TPM /// </summary> public CapabilityData.TPMCapVersionInfo GetTPMVersion() { Parameters parameters = new Parameters (); parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL); parameters.AddPrimitiveType ("subCap", new byte[0]); return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf<CapabilityData.TPMCapVersionInfo> (CapabilityData.PARAM_TPM_VERSION_INFO); }
public override void Execute(string[] commandline) { if (commandline.Length < 2) { _console.Out.WriteLine ("Error: [local_session_alias] not specified"); return; } else if (commandline.Length < 3) { _console.Out.WriteLine ("Error: [command] not specified"); return; } ClientContext ctx = _console.GetValue<ClientContext> ("client_context", null); if (ctx == null) { _console.Out.WriteLine ("No active connection was found"); return; } string localAlias = commandline[1]; string keyCommand = commandline[2]; IDictionary<string, TPMSession> tpmSessions = _console.GetValue<IDictionary<string, TPMSession>> ("tpm_sessions", null); if (tpmSessions == null || tpmSessions.ContainsKey (localAlias) == false) { _console.Out.WriteLine ("Error: Specified local alias was not found"); return; } if (keyCommand == "clear") { List<string> toRemove = new List<string>(); foreach(string key in tpmSessions[localAlias].ListValueKeys()) { if(key.StartsWith("secret_")) toRemove.Add(key); } foreach(string key in toRemove) { tpmSessions[localAlias].ClearValue(key); } } else if (keyCommand == "remove") { IDictionary<string, string> arguments = null; if(commandline.Length >= 4) arguments = _console.SplitArguments(commandline[3], 0); if(commandline.Length < 4 || arguments.ContainsKey("type") == false) { _console.Out.WriteLine("Error: No type to remove specified"); return; } tpmSessions[localAlias].ClearValue("secret_" + arguments["type"]); } else if(keyCommand == "add") { if(commandline.Length < 4) { _console.Out.WriteLine("Error: No arguments specified"); return; } IDictionary<string, string> arguments = _console.SplitArguments(commandline[3], 0); if(arguments.ContainsKey("type") == false) { _console.Out.WriteLine("Error: No type specified"); return; } string dictKey = arguments["type"]; HMACKeyInfo keyInfo; Parameters hmacKeyInfoParams = new Parameters(); if(dictKey == "owner") { dictKey = TPMSession.PARAM_AUTH_OWNER; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, hmacKeyInfoParams); } else if(dictKey == "srk") { dictKey = TPMSession.PARAM_AUTH_SRK; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, hmacKeyInfoParams); } else if(dictKey == "key_usage") { if(arguments.ContainsKey("name") == false) { _console.Out.WriteLine("Error: key_usage requires name of key"); return; } dictKey = "usage_" + arguments["name"]; hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]); keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams); } else if(dictKey == "seal") { if(arguments.ContainsKey("name") == false) { _console.Out.WriteLine("Error: seal requires name of key"); return; } dictKey = "seal_" + arguments["name"]; hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]); keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, hmacKeyInfoParams); } else if(dictKey == "counter") { dictKey = "counter"; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()); } else { _console.Out.WriteLine("Error: Unknown secret type"); return; } ProtectedPasswordStorage pw; if(arguments.ContainsKey("secret")) { pw = new ProtectedPasswordStorage(); foreach(char c in arguments["secret"]) pw.AppendPasswordChar(c); } else { tpmSessions[localAlias].ClearValue("secret_" + dictKey); pw = tpmSessions[localAlias].RequestSecret(keyInfo); } pw.Hash(); tpmSessions[localAlias].SetValue("secret_" + dictKey, pw); } else _console.Out.WriteLine ("Error, unknown command '{0}'", commandline[2]); }
/// <summary> /// Unbinds the specified data, the encrypted data needs to be /// of type TPMBoundData /// </summary> /// <param name="data"></param> /// <returns>Returns the decrypted data</returns> public byte[] Unbind(byte[] data) { Parameters paramsUnbind = new Parameters(); paramsUnbind.AddPrimitiveType("in_data", data); paramsUnbind.AddPrimitiveType("key", _keyIdentifier); TPMCommandResponse unbindResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unbind, paramsUnbind); return unbindResponse.Parameters.GetValueOf<byte[]>("data"); }
/// <summary> /// Signs the specified data, but the data is already in the format the signature format (Attached to the key) requires it to be. /// </summary> /// <remarks> /// Use this for large amount of data, or use the <see>CreateSigner</see> method /// </remarks> /// <param name="data"></param> /// <returns></returns> public byte[] SignWithProperFormat(byte[] data) { Parameters signParameters = new Parameters(); signParameters.AddPrimitiveType("key", _keyIdentifier); signParameters.AddPrimitiveType("areaToSign", data); return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Sign, signParameters).Parameters.GetValueOf<byte[]>("sig"); }
/// <summary> /// Seals data to the specified pcr selection, /// create a valid pcr selection with session.CreateEmptyPCRSelection /// </summary> /// <param name="pcrSelection"></param> /// <param name="data">Data to seal</param> /// <returns></returns> public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data) { Parameters paramsSeal = new Parameters(); paramsSeal.AddPrimitiveType("in_data", data); paramsSeal.AddPrimitiveType("key", _keyIdentifier); paramsSeal.AddValue("pcr_selection", pcrSelection); Parameters paramsSecret = new Parameters(); paramsSecret.AddPrimitiveType("identifier", KeyIdentifier); ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret)); if(authSeal.Hashed == false) authSeal.Hash(); authSeal.DecryptHash(); paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue); try { TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal); return sealResponse.Parameters.GetValueOf<byte[]>("data"); } finally { if(authSeal != null) authSeal.ClearHash(); } }
/// <summary> /// Assures that the shared secret for the specified authorization handle has been /// calculated, if not it gets calculated. If no OSAP session exists, create it /// </summary> /// <param name="cmd"></param> /// <param name="sessionNum"></param> /// <returns></returns> public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum) { // using(AcquireLock()) // { // //Must not be called for OSAP at the moment because OSAP session are not cached // _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); // } // HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if(keyInfo == null) return null; AuthHandle authHandle; using(AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } // If shared secret has not yet been generated, do it if(authHandle.SharedSecret == null) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest( _ctx, new HashByteDataProvider(authHandle.NonceEvenOSAP), new HashByteDataProvider(authHandle.NonceOddOSAP) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; Parameters paramsSharedSecret = new Parameters(); if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK) { if(cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK) request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()); else { paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum)); request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret); } } else if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER) request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters()); else throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'", cmd.GetEntityType(authSessionNum))); GenerateHMACResponse response = request.TypedExecute (); response.AssertResponse(); authHandle.SharedSecret = response.TpmAuthData; } return authHandle; }
/// <summary> /// Returns if the specified sizeIfSelect (= pcrcount / 8) is supported. /// This is used to create valid PCRSelection objects for this tpm /// </summary> /// <param name="size"> /// A <see cref="System.UInt16"/> /// </param> /// <returns> /// A <see cref="System.Boolean"/> /// </returns> public bool SupportsSizeOfPcr(ushort size) { Parameters parameters = new Parameters (); parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE); parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, size); return this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters) .Parameters.GetValueOf<bool>(CapabilityData.PARAM_PROP_SELECT_SIZE); }
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum) { if(authSessionNum != AuthSessionNum.Auth1) return null; string keyIdentifier = _params.GetValueOf<string>("key"); Parameters parameters = new Parameters(); parameters.AddPrimitiveType("identifier", keyIdentifier); return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters); }
public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper) { base.Init (param, tpmProvider, tpmWrapper); _digest = null; _responseDigest = null; _inData = param.GetValueOf<byte[]>("in_data"); _pcrInfo = new TPMPCRInfoCore(new TPMPCRSelectionCore(param.GetValueOf<TPMPCRSelection>("pcr_selection"))); _pcrInfo.CalculateDigests((TPMPCRInfoCore.GetPCRValueDelegate)delegate(uint pcrNum) { //TODO: Use TPM_Quote to determine pcr values once it's available Parameters pcrParams = new Parameters(); pcrParams.AddPrimitiveType("pcrnum", pcrNum); TPMCommandResponse pcrResponse = _tpmWrapper.Process(new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams)); if(!pcrResponse.Status) throw new TPMResponseException("An unknown error occured on performing pcrread"); return pcrResponse.Parameters.GetValueOf<byte[]>("value"); }); }
/// <summary> /// Reads the configured tpm devices from the configuration and /// sets up the corresponding tpm contexts /// </summary> private void SetupTPMContexts() { IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection ("connections"); foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices) { try { _logger.InfoFormat ("Setting up tpm context '{0}'", device.TPMName); TPMWrapper tpmDevice = new TPMWrapper (); tpmDevice.Init (device.TPMType, device.Parameters); TPMContext tpmContext = new TPMContext (device.TPMName, tpmDevice); _tpmContexts.Add (device.TPMName, tpmContext); _logger.InfoFormat ("Flushing device '{0}'", device.TPMName); foreach (TPMResourceType resourceType in new TPMResourceType[] { TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY}) { Parameters listLoadedHandlesParameters = new Parameters (); listLoadedHandlesParameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE); listLoadedHandlesParameters.AddPrimitiveType ("handle_type", resourceType); TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_GetCapability, listLoadedHandlesParameters); TPMCommandResponse response = tpmDevice.Process (listLoadedHandlesRequest); if (response.Status == false) throw new Exception ("An unknown tpm exception while flushing occured"); foreach (uint handle in response.Parameters.GetValueOf<HandleList> ("handles")) { Parameters flushParameters = new Parameters (); flushParameters.AddValue ("handle", HandleFactory.Create (resourceType, handle)); TPMCommandRequest flushRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters); TPMCommandResponse flushResponse = tpmDevice.Process (flushRequest); if (flushResponse.Status == false) throw new Exception ("Something went wrong while flushing"); } } _logger.InfoFormat ("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType); } catch (Exception ex) { _logger.FatalFormat ("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex); } ///Set the Assembly search order for incoming Parameters so that core classes are always at first Parameters.AssemblySearchOrder = new Assembly[]{ typeof(TPMWrapper).Assembly, //lib core typeof(ITypedParameter).Assembly}; //lib common } }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _encAuth = _params.GetValueOf<byte[]> ("data_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_encAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_encAuth, 0, 20); TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams); }