/// <summary>
/// Creates a *software* root key. The key will be random (not created from a seed). The key can be used
/// as the root of a software hierarchy that can be translated into a duplication blob ready for import into
/// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can
/// comprise a migration group. The caller should specify necessary key parameters in Public.
/// </summary>
/// <returns></returns>
public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal)
{
var newKey = new TssObject();
// Create a new asymmetric key from the supplied parameters
IPublicIdUnion publicId;
ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId);
// fill in the public data
newKey.publicPart = keyParameters.Copy();
newKey.publicPart.unique = publicId;
// Create the associated symmetric key -
SymDefObject symDef = GetSymDef(keyParameters);
byte[] symmKey;
if (symDef.Algorithm != TpmAlgId.Null)
{
using (var symmCipher = SymmCipher.Create(symDef))
{
symmKey = symmCipher.KeyData;
}
}
else
{
symmKey = new byte[0];
}
// Fill in the fields for the symmetric private-part of the asymmetric key
var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData);
newKey.sensitivePart = sens;
// And return the new key
return(newKey);
}
/// <summary>
/// Creates a *software* root key. The key will be random (not created from a seed). The key can be used
/// as the root of a software hierarchy that can be translated into a duplication blob ready for import into
/// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can
/// comprise a migration group. The caller should specify necessary key parameters in Public.
/// </summary>
/// <returns></returns>
public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal)
{
var newKey = new TssObject();
// Create a new asymmetric key from the supplied parameters
IPublicIdUnion publicId;
ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId);
// fill in the public data
newKey.publicPart = keyParameters.Copy();
newKey.publicPart.unique = publicId;
// Create the associated symmetric key
byte[] symmKey = Globs.GetRandomBytes(CryptoLib.DigestSize(keyParameters.nameAlg));
// Fill in the fields for the symmetric private-part of the asymmetric key
var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData);
newKey.sensitivePart = sens;
// And return the new key
return(newKey);
}
CreateSensitiveComposite(TpmPublic pub,
ref byte[] keyData,
out IPublicIdUnion publicId)
{
ISensitiveCompositeUnion newSens = null;
publicId = null;
if (pub.type == TpmAlgId.Rsa)
{
if (keyData != null)
{
Globs.Throw <ArgumentException>("Cannot specify key data for an RSA key");
return(null);
}
var newKeyPair = new RawRsa((pub.parameters as RsaParms).keyBits);
// Put the key bits into the required structure envelopes
newSens = new Tpm2bPrivateKeyRsa(newKeyPair.Private);
publicId = new Tpm2bPublicKeyRsa(newKeyPair.Public);
}
else if (pub.type == TpmAlgId.Symcipher)
{
var symDef = (SymDefObject)pub.parameters;
if (symDef.Algorithm != TpmAlgId.Aes)
{
Globs.Throw <ArgumentException>("Unsupported symmetric algorithm");
return(null);
}
int keySize = (symDef.KeyBits + 7) / 8;
if (keyData == null)
{
keyData = Globs.GetRandomBytes(keySize);
}
else if (keyData.Length != keySize)
{
keyData = Globs.CopyData(keyData);
}
else
{
Globs.Throw <ArgumentException>("Wrong symmetric key length");
return(null);
}
newSens = new Tpm2bSymKey(keyData);
}
else if (pub.type == TpmAlgId.Keyedhash)
{
var scheme = (pub.parameters as KeyedhashParms).scheme;
TpmAlgId hashAlg = scheme is SchemeHash ? (scheme as SchemeHash).hashAlg
: scheme is SchemeXor ? (scheme as SchemeXor).hashAlg
: pub.nameAlg;
var digestSize = CryptoLib.DigestSize(hashAlg);
if (keyData == null)
{
keyData = Globs.GetRandomBytes(digestSize);
}
else if (keyData.Length <= CryptoLib.BlockSize(hashAlg))
{
keyData = Globs.CopyData(keyData);
}
else
{
Globs.Throw <ArgumentException>("HMAC key is too big");
return(null);
}
newSens = new Tpm2bSensitiveData(keyData);
}
else
{
Globs.Throw <ArgumentException>("Unsupported key type");
}
return(newSens);
}
///<param name = "the_authValue">user authorization data The authValue may be a zero-length string. This value shall not be larger than the size of the digest produced by the nameAlg of the object.</param>
///<param name = "the_seedValue">for asymmetric key object, the optional protection seed; for other objects, the obfuscation value This value shall not be larger than the size of the digest produced by nameAlg of the object.</param>
///<param name = "the_sensitive">the type-specific private data(One of Tpm2bPrivateKeyRsa, Tpm2bEccParameter, Tpm2bSensitiveData, Tpm2bSymKey, Tpm2bPrivateVendorSpecific)</param>
public Sensitive(
byte[] the_authValue,
byte[] the_seedValue,
ISensitiveCompositeUnion the_sensitive
)
{
this.authValue = the_authValue;
this.seedValue = the_seedValue;
this.sensitive = the_sensitive;
}
