/// <summary> /// Reserves the number of session slots the given command requires on the tpm. /// </summary> /// <remarks> /// If the command supports OIAP auth handles, it is also possible for the AuthHandleManager to recycle /// existing OIAP AuthHandles. /// /// If the command needs OSAP auth handles the AuthHandleManager always creates new sessions, because OSAP is /// used for auth data insertion, so nothing happens in here for OSAP /// </remarks> /// <param name="cmd"></param> /// <param name="tpmSession"></param> public void ReserveAuthHandleSlots(IAuthorizableCommand cmd) { using (new LockContext(_authHandles, string.Format("AuthHandleManager::ReserveAuthHandleSlots {0}", cmd))) { foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession); if (keyInfo == null) { continue; } bool useOIAP = false; if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP)) { useOIAP = true; } if (FindReservedHandle(cmd, authSession) != null) { continue; } //We only cache OIAP sessions, so maybe there is a free //OIAP session we can use if (useOIAP) { AuthHandleItem handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedIn); if (handle == null) { handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedOut); } if (handle != null) { handle.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd); } } } } }
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob) { long currentIndex = blob.Length; List <ResponseAuthHandleInfo> responseAuthHandles = new List <ResponseAuthHandleInfo>(); foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth2, AuthSessionNum.Auth1 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession); if (keyInfo != null) { currentIndex -= SINGLE_AUTH_HANDLE_SIZE; responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex)); } } responseAuthHandles.Reverse(); return(responseAuthHandles.ToArray()); }
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob) { long currentIndex = blob.Length; List<ResponseAuthHandleInfo> responseAuthHandles = new List<ResponseAuthHandleInfo>(); foreach(AuthSessionNum authSession in new AuthSessionNum[]{AuthSessionNum.Auth2, AuthSessionNum.Auth1}) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession); if(keyInfo != null) { currentIndex -= SINGLE_AUTH_HANDLE_SIZE; responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex)); } } responseAuthHandles.Reverse(); return responseAuthHandles.ToArray(); }
/// <summary> /// Assures that the shared secret for the specified authorization handle has been /// calculated, if not it gets calculated. If no OSAP session exists, create it /// </summary> /// <param name="cmd"></param> /// <param name="sessionNum"></param> /// <returns></returns> public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum) { // using(AcquireLock()) // { // //Must not be called for OSAP at the moment because OSAP session are not cached // _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); // } // HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { return(null); } AuthHandle authHandle; using (AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } // If shared secret has not yet been generated, do it if (authHandle.SharedSecret == null) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest( _ctx, new HashByteDataProvider(authHandle.NonceEvenOSAP), new HashByteDataProvider(authHandle.NonceOddOSAP) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; Parameters paramsSharedSecret = new Parameters(); if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK) { if (cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK) { request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()); } else { paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum)); request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret); } } else if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER) { request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters()); } else { throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'", cmd.GetEntityType(authSessionNum))); } GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authHandle.SharedSecret = response.TpmAuthData; } return(authHandle); }
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd) { List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>(); List <ResponseAuthHandleInfo> responseAuthHandleInfos = new List <ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos); responseAuthHandleInfos.Reverse(); List <AuthorizationInfo> localAuthorizationInfos = new List <AuthorizationInfo>(cmd.AuthorizationInfos); localAuthorizationInfos.Reverse(); Stack <ResponseAuthHandleInfo> responseAuthHandles = new Stack <ResponseAuthHandleInfo>(responseAuthHandleInfos); Stack <AuthorizationInfo> authorizationInfoQueue = new Stack <AuthorizationInfo>(localAuthorizationInfos); foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { continue; } ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop(); AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop(); if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData)); } else if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP) { byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash( new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth)); } } return(authorizationInfos.ToArray()); }
/// <summary> /// Authorizes the command and returns the necessary authorization info /// Blocks till the user has entered the credentials /// </summary> /// <param name="cmd">Command to authorize</param> /// <returns></returns> public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd) { List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>(); using (AcquireLock()) { _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); } foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { continue; } AuthHandle authHandle; using (AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } //Generates the new nonceOdd before the client generates the auth data authHandle.NewNonceOdd(); if (authHandle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(true) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData)); } else if (authHandle.HandleAuthType == AuthHandle.AuthType.OSAP) { AssureOSAPSharedSecret(cmd, authSessionNum); byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash( new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(false)); // GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest // (_ctx, // new HashByteDataProvider(cmd.Digest), // new HashByteDataProvider(authHandle.NonceEven), // new HashByteDataProvider(authHandle.NonceOdd), // new HashPrimitiveDataProvider(false) // ); // // // request.TpmSessionIdentifier = _tpmSessionIdentifier; // request.KeyInfo = keyInfo; // // // GenerateHMACResponse response = request.TypedExecute (); // response.AssertResponse(); // authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac)); } } return(authorizationInfos.ToArray()); }
/// <summary> /// Assures that the shared secret for the specified authorization handle has been /// calculated, if not it gets calculated. If no OSAP session exists, create it /// </summary> /// <param name="cmd"></param> /// <param name="sessionNum"></param> /// <returns></returns> public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum) { // using(AcquireLock()) // { // //Must not be called for OSAP at the moment because OSAP session are not cached // _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); // } // HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if(keyInfo == null) return null; AuthHandle authHandle; using(AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } // If shared secret has not yet been generated, do it if(authHandle.SharedSecret == null) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest( _ctx, new HashByteDataProvider(authHandle.NonceEvenOSAP), new HashByteDataProvider(authHandle.NonceOddOSAP) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; Parameters paramsSharedSecret = new Parameters(); if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK) { if(cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK) request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()); else { paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum)); request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret); } } else if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER) request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters()); else throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'", cmd.GetEntityType(authSessionNum))); GenerateHMACResponse response = request.TypedExecute (); response.AssertResponse(); authHandle.SharedSecret = response.TpmAuthData; } return authHandle; }
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd) { List<AuthorizationInfo> authorizationInfos = new List<AuthorizationInfo>(); List<ResponseAuthHandleInfo> responseAuthHandleInfos = new List<ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos); responseAuthHandleInfos.Reverse(); List<AuthorizationInfo> localAuthorizationInfos = new List<AuthorizationInfo>(cmd.AuthorizationInfos); localAuthorizationInfos.Reverse(); Stack<ResponseAuthHandleInfo> responseAuthHandles = new Stack<ResponseAuthHandleInfo>(responseAuthHandleInfos); Stack<AuthorizationInfo> authorizationInfoQueue = new Stack<AuthorizationInfo>(localAuthorizationInfos); foreach(AuthSessionNum authSessionNum in new AuthSessionNum[]{AuthSessionNum.Auth1, AuthSessionNum.Auth2}) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if(keyInfo == null) continue; ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop(); AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop(); if(currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute (); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData)); } else if(currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP) { byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash( new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth)); } } return authorizationInfos.ToArray(); }
/// <summary> /// Authorizes the command and returns the necessary authorization info /// Blocks till the user has entered the credentials /// </summary> /// <param name="cmd">Command to authorize</param> /// <returns></returns> public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd) { List<AuthorizationInfo> authorizationInfos = new List<AuthorizationInfo>(); using(AcquireLock()) { _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); } foreach(AuthSessionNum authSessionNum in new AuthSessionNum[]{AuthSessionNum.Auth1, AuthSessionNum.Auth2}) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if(keyInfo == null) continue; AuthHandle authHandle; using(AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } //Generates the new nonceOdd before the client generates the auth data authHandle.NewNonceOdd(); if(authHandle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(true) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute (); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData)); } else if(authHandle.HandleAuthType == AuthHandle.AuthType.OSAP) { AssureOSAPSharedSecret(cmd, authSessionNum); byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash( new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(false)); // GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest // (_ctx, // new HashByteDataProvider(cmd.Digest), // new HashByteDataProvider(authHandle.NonceEven), // new HashByteDataProvider(authHandle.NonceOdd), // new HashPrimitiveDataProvider(false) // ); // // // request.TpmSessionIdentifier = _tpmSessionIdentifier; // request.KeyInfo = keyInfo; // // // GenerateHMACResponse response = request.TypedExecute (); // response.AssertResponse(); // authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac)); } } return authorizationInfos.ToArray(); }