/// <summary>
/// Create an enveloped (encrypted and integrity protected) private area from a provided sensitive.
/// </summary>
/// <param name="iv"></param>
/// <param name="sens"></param>
/// <param name="nameHash"></param>
/// <param name="publicName"></param>
/// <param name="symWrappingAlg"></param>
/// <param name="symKey"></param>
/// <param name="parentNameAlg"></param>
/// <param name="parentSeed"></param>
/// <param name="f"></param>
/// <returns></returns>
public static byte[] CreatePrivateFromSensitive(
SymDefObject symWrappingAlg,
byte[] symKey,
byte[] iv,
Sensitive sens,
TpmAlgId nameHash,
byte[] publicName,
TpmAlgId parentNameAlg,
byte[] parentSeed,
TssObject.Transformer f = null)
{
// ReSharper disable once InconsistentNaming
byte[] tpm2bIv = Marshaller.ToTpm2B(iv);
Transform(tpm2bIv, f);
byte[] sensitive = sens.GetTpmRepresentation();
Transform(sensitive, f);
// ReSharper disable once InconsistentNaming
byte[] tpm2bSensitive = Marshaller.ToTpm2B(sensitive);
Transform(tpm2bSensitive, f);
byte[] encSensitive = SymmCipher.Encrypt(symWrappingAlg, symKey, iv, tpm2bSensitive);
Transform(encSensitive, f);
byte[] decSensitive = SymmCipher.Decrypt(symWrappingAlg, symKey, iv, encSensitive);
Debug.Assert(f != null || Globs.ArraysAreEqual(decSensitive, tpm2bSensitive));
uint hmacKeyBits = (uint)CryptoLib.DigestSize(parentNameAlg) * 8;
byte[] hmacKey = KDF.KDFa(parentNameAlg, parentSeed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits);
Transform(hmacKey, f);
byte[] dataToHmac = Marshaller.GetTpmRepresentation(tpm2bIv,
encSensitive,
publicName);
Transform(dataToHmac, f);
byte[] outerHmac = CryptoLib.HmacData(parentNameAlg, hmacKey, dataToHmac);
Transform(outerHmac, f);
byte[] priv = Marshaller.GetTpmRepresentation(Marshaller.ToTpm2B(outerHmac),
tpm2bIv,
encSensitive);
Transform(priv, f);
return priv;
}
/// <summary>
/// Creates a *software* root key. The key will be random (not created from a seed). The key can be used
/// as the root of a software hierarchy that can be translated into a duplication blob ready for import into
/// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can
/// comprise a migration group. The caller should specify necessary key parameters in Public.
/// </summary>
/// <returns></returns>
public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal)
{
var newKey = new TssObject();
// Create a new asymmetric key from the supplied parameters
IPublicIdUnion publicId;
ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId);
// fill in the public data
newKey.publicPart = keyParameters.Copy();
newKey.publicPart.unique = publicId;
// Create the associated symmetric key -
SymDefObject symDef = GetSymDef(keyParameters);
byte[] symmKey;
if (symDef.Algorithm != TpmAlgId.Null)
{
using (var symmCipher = SymmCipher.Create(symDef))
{
symmKey = symmCipher.KeyData;
}
}
else
{
symmKey = new byte[0];
}
// Fill in the fields for the symmetric private-part of the asymmetric key
var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData);
newKey.sensitivePart = sens;
// And return the new key
return newKey;
}
///<param name = "the_integrityOuter"></param>
///<param name = "the_integrityInner">could also be a TPM2B_IV</param>
///<param name = "the_sensitive">the sensitive area</param>
public Private(
byte[] the_integrityOuter,
byte[] the_integrityInner,
Sensitive the_sensitive
)
{
this.integrityOuter = the_integrityOuter;
this.integrityInner = the_integrityInner;
this.sensitive = the_sensitive;
}
public Private()
{
integrityOuter = new byte[0];
integrityInner = new byte[0];
sensitive = new Sensitive();
}
public Private(Private the_Private)
{
if((Object) the_Private == null ) throw new ArgumentException(Globs.GetResourceString("parmError"));
integrityOuter = the_Private.integrityOuter;
integrityInner = the_Private.integrityInner;
sensitive = the_Private.sensitive;
}
public Tpm2bSensitive(Tpm2bSensitive the_Tpm2bSensitive)
{
if((Object) the_Tpm2bSensitive == null ) throw new ArgumentException(Globs.GetResourceString("parmError"));
sensitiveArea = the_Tpm2bSensitive.sensitiveArea;
}
///<param name = "the_sensitiveArea">an unencrypted sensitive area</param>
public Tpm2bSensitive(
Sensitive the_sensitiveArea
)
{
this.sensitiveArea = the_sensitiveArea;
}
public Sensitive(Sensitive the_Sensitive)
{
if((Object) the_Sensitive == null ) throw new ArgumentException(Globs.GetResourceString("parmError"));
authValue = the_Sensitive.authValue;
seedValue = the_Sensitive.seedValue;
}
public Tpm2bSensitive()
{
sensitiveArea = new Sensitive();
}
///<param name = "the_publicPart">Public part of key</param>
///<param name = "the_sensitivePart">Sensitive part of key</param>
///<param name = "the_privatePart">Private part is the encrypted sensitive part of key</param>
public TssObject(
TpmPublic the_publicPart,
Sensitive the_sensitivePart,
TpmPrivate the_privatePart
)
{
this.publicPart = the_publicPart;
this.sensitivePart = the_sensitivePart;
this.privatePart = the_privatePart;
}
public TpmHandle LoadExternal(
Sensitive inPrivate,
TpmPublic inPublic,
TpmHandle hierarchy
)
{
Tpm2LoadExternalRequest inS = new Tpm2LoadExternalRequest();
inS.inPrivate = inPrivate;
inS.inPublic = inPublic;
inS.hierarchy = hierarchy;
TpmStructureBase outSBase;
DispatchMethod(TpmCc.LoadExternal, (TpmStructureBase) inS, typeof(Tpm2LoadExternalResponse), out outSBase, 0, 1);
Tpm2LoadExternalResponse outS = (Tpm2LoadExternalResponse) outSBase;
return outS.objectHandle;
}
public TssObject()
{
publicPart = new TpmPublic();
sensitivePart = new Sensitive();
privatePart = new TpmPrivate();
}
///<param name = "the_inPrivate">the sensitive portion of the object (optional)</param>
///<param name = "the_inPublic">the public portion of the object</param>
///<param name = "the_hierarchy">hierarchy with which the object area is associated</param>
public Tpm2LoadExternalRequest(
Sensitive the_inPrivate,
TpmPublic the_inPublic,
TpmHandle the_hierarchy
)
{
this.inPrivate = the_inPrivate;
this.inPublic = the_inPublic;
this.hierarchy = the_hierarchy;
}
public Tpm2LoadExternalRequest()
{
inPrivate = new Sensitive();
inPublic = new TpmPublic();
hierarchy = new TpmHandle();
}
public Private()
{
integrityOuter = null;
integrityInner = null;
sensitive = new Sensitive();
}
/// <summary>
/// Creates a *software* root key. The key will be random (not created from a seed). The key can be used
/// as the root of a software hierarchy that can be translated into a duplication blob ready for import into
/// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can
/// comprise a migration group. The caller should specify necessary key parameters in Public.
/// </summary>
/// <returns></returns>
public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal)
{
var newKey = new TssObject();
// Create a new asymmetric key from the supplied parameters
IPublicIdUnion publicId;
ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId);
// fill in the public data
newKey.publicPart = keyParameters.Copy();
newKey.publicPart.unique = publicId;
// Create the associated symmetric key
byte[] symmKey = Globs.GetRandomBytes(CryptoLib.DigestSize(keyParameters.nameAlg));
// Fill in the fields for the symmetric private-part of the asymmetric key
var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData);
newKey.sensitivePart = sens;
// And return the new key
return newKey;
}