/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if (authSeal.Hashed == false)
{
authSeal.Hash();
}
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return(sealResponse.Parameters.GetValueOf <byte[]>("data"));
}
finally
{
if (authSeal != null)
{
authSeal.ClearHash();
}
}
}
/// <summary>
/// Creates a new counter if possible.
/// Creating a counter requires the owner password and also the secret_counter secret
/// </summary>
/// <param name="label">4 bytes to label the counter</param>
/// <returns></returns>
public CounterContext CreateCounter(byte[] label)
{
if (label.Length != 4)
{
throw new ArgumentException("label needs to be of size 4");
}
ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()));
if (counterSecret.Hashed == false)
{
counterSecret.Hash();
}
counterSecret.DecryptHash();
Parameters createCounterParams = new Parameters();
createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue);
createCounterParams.AddPrimitiveType("label", label);
return(new CounterContext(_tpmSession,
_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams))
.Parameters.GetValueOf <uint>("counter_id")
));
}
public void TakeOwnership(ProtectedPasswordStorage ownerSecret, ProtectedPasswordStorage srkSecret)
{
_tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_OWNER, ownerSecret);
_tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_SRK, srkSecret);
IAsymmetricBlockCipher ekEncryptor = _tpmSession.EndorsementKeyHandling.PublicKey.CreateRSAEncrypter();
ownerSecret.DecryptHash();
byte[] encOwnerSecret = ekEncryptor.ProcessBlock(ownerSecret.HashValue, 0, ownerSecret.HashValue.Length);
ownerSecret.ClearHash();
srkSecret.DecryptHash();
byte[] encSrkSecret = ekEncryptor.ProcessBlock(srkSecret.HashValue, 0, srkSecret.HashValue.Length);
srkSecret.ClearHash();
Parameters parameters = new Parameters();
parameters.AddPrimitiveType(PARAM_OWNERAUTH, encOwnerSecret);
parameters.AddPrimitiveType(PARAM_SRKAUTH, encSrkSecret);
/*TPMCommandResponse response = */ BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_TakeOwnership, parameters);
}
public ClientKeyHandle CreateKey(string friendlyName, uint keyLength, TPMKeyUsage keyUsage, TPMKeyFlags keyFlags)
{
Parameters paramsCreateWrapKey = new Parameters();
paramsCreateWrapKey.AddPrimitiveType("parent", KeyIdentifier);
paramsCreateWrapKey.AddPrimitiveType("key_usage", keyUsage);
paramsCreateWrapKey.AddPrimitiveType("key_flags", keyFlags);
paramsCreateWrapKey.AddPrimitiveType("key_length", keyLength);
paramsCreateWrapKey.AddPrimitiveType("exponent", new byte[0]);
paramsCreateWrapKey.AddPrimitiveType("num_primes", (uint)0);
if (keyUsage == TPMKeyUsage.TPM_KEY_SIGNING)
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_NONE);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1);
}
else
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_NONE);
}
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifierIsFriendlyName", true);
parameters.AddPrimitiveType("identifier", friendlyName);
ProtectedPasswordStorage authUsage = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
if (authUsage.Hashed == false)
{
authUsage.Hash();
}
authUsage.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("usage_auth", authUsage.HashValue);
ProtectedPasswordStorage authMigration = null;
if ((keyFlags & TPMKeyFlags.Migratable) == TPMKeyFlags.Migratable)
{
authMigration = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyMigrationSecret, parameters));
authMigration.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("migration_auth", authMigration.HashValue);
}
else
{
paramsCreateWrapKey.AddPrimitiveType("migration_auth", new byte[20]);
}
try
{
TPMCommandResponse responseCreateWrapKey =
BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_CreateWrapKey, paramsCreateWrapKey);
_tpmSession.Keystore.AddKey(
friendlyName,
responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"),
this.FriendlyName,
responseCreateWrapKey.Parameters.GetValueOf <byte[]>("key_data"));
return(new ClientKeyHandle(friendlyName, responseCreateWrapKey.Parameters.GetValueOf <string>("key_identifier"), _tpmSession));
}
finally
{
if (authMigration != null)
{
authMigration.ClearHash();
}
if (authUsage != null)
{
authUsage.ClearHash();
}
}
}