void ExternalKeyImportSample(Tpm2 tpm, TestContext testCtx)
{
// Create a software key (external to any TPM).
int keySize = 2048;
var externalRsaKey = new RawRsa(keySize);
// When an external key comes from a cert, one would need to extract the key size and
// byte buffers representing public and private parts of the key from the cert, an use
// them directly in the call to ImportExternalRsaKey() below (i.e. no RawRsa object is
// necessary).
// Signing scheme to use (it may come from the key's cert)
TpmAlgId sigHashAlg = Substrate.Random(TpmCfg.HashAlgs);
var sigScheme = new SchemeRsassa(sigHashAlg);
// An arbitrary external key would not have TPM key attributes associated with it.
// Yet some of them may be inferred from the cert based on the declared key purpose
// (ObjectAttr.Sign below). The others are defined by the intended TPM key usage
// scenarios, e.g. ObjectAttr.UserWithAuth tells TPM to allow key usage authorization
// using an auth value (random byte buffer) in a password or an HMAC session.
ObjectAttr keyAttrs = ObjectAttr.Sign | ObjectAttr.UserWithAuth;
// Generate an auth value for the imported matching in strength the signing scheme
byte[] authVal = Substrate.RandomAuth(sigHashAlg);
// We need a storage key to use as a parent of the imported key.
// The following helper creates an RSA primary storage key.
TpmHandle hParent = Substrate.CreateRsaPrimary(tpm);
TssObject importedKey = ImportExternalRsaKey(tpm, hParent,
keySize, sigScheme,
externalRsaKey.Public, externalRsaKey.Private,
keyAttrs, authVal);
// Now we can load the newly imported key into the TPM, ...
TpmHandle hImportedKey = tpm.Load(hParent, importedKey.Private, importedKey.Public);
// ... let the TSS know the auth value associated with this handle, ...
hImportedKey.SetAuth(authVal);
// ... and use it to sign something to check if import was OK
TpmHash toSign = TpmHash.FromRandom(sigHashAlg);
ISignatureUnion sig = tpm.Sign(hImportedKey, toSign, null, new TkHashcheck());
// Verify that the signature is correct using the public part of the imported key
bool sigOk = importedKey.Public.VerifySignatureOverHash(toSign, sig);
testCtx.Assert("Signature.OK", sigOk);
// Cleanup
tpm.FlushContext(hImportedKey);
// The parent key handle can be flushed immediately after it was used in the Load() command
tpm.FlushContext(hParent);
// Imported private/public key pair (in the TssObject) can be stored on disk, in the cloud,
// etc. (no additional protection is necessary), and loaded into the TPM as above whenever
// the key is needed.
// Alternatively the key can be persisted in the TPM using the EvictControl() command
} // ExternalKeyImportSample
void TestSerialization(Tpm2 tpm, TestContext testCtx)
{
// test library serialization (not a TPM test)
TpmAlgId hashAlg = Substrate.Random(TpmCfg.HashAlgs);
// make some moderately complicated TPM structures
var inPub = new TpmPublic(hashAlg,
ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
null,
new RsaParms(new SymDefObject(), new SchemeRsassa(hashAlg),
Substrate.Random(TpmCfg.RsaKeySizes), 0),
new Tpm2bPublicKeyRsa());
TpmPublic pub;
TpmHandle hKey = Substrate.CreateAndLoad(tpm, inPub, out pub);
TpmHash hashToSign = TpmHash.FromRandom(hashAlg);
var proof = new TkHashcheck(TpmRh.Null, null);
var sig = tpm.Sign(hKey, hashToSign, new SchemeRsassa(hashAlg), proof);
tpm.FlushContext(hKey);
// Simple TPM-hash to/from JSON
TpmHash h = TpmHash.FromString(hashAlg, "hello");
MemoryStream s2 = new MemoryStream();
DataContractJsonSerializer ser2 = new DataContractJsonSerializer(typeof(TpmHash));
ser2.WriteObject(s2, h);
s2.Flush();
string jsonString2 = Encoding.ASCII.GetString(s2.ToArray());
TpmHash h2 = (TpmHash)ser2.ReadObject(new MemoryStream(s2.ToArray()));
testCtx.AssertEqual("JSON.Simple", h, h2);
// JSON more complex -
MemoryStream s = new MemoryStream();
DataContractJsonSerializer ser = new DataContractJsonSerializer(typeof(TpmPublic));
ser.WriteObject(s, pub);
s.Flush();
string jsonString = Encoding.ASCII.GetString(s.ToArray());
TpmPublic reconstruct = (TpmPublic)ser.ReadObject(new MemoryStream(s.ToArray()));
testCtx.AssertEqual("JSON.Complex", pub, reconstruct);
// XML
s = new MemoryStream();
DataContractSerializer s4 = new DataContractSerializer(typeof(TpmPublic));
s4.WriteObject(s, pub);
s.Flush();
string xmlString = Encoding.ASCII.GetString(s.ToArray());
TpmPublic rec4 = (TpmPublic)s4.ReadObject(new MemoryStream(s.ToArray()));
testCtx.AssertEqual("XML.Complex", pub, rec4, s4);
} // TestSerialization
