/// <summary>
/// Releases the unmanaged resources used by the SecurityProviderTpmHsm and optionally disposes of the managed resources.
/// </summary>
/// <param name="disposing">true to release both managed and unmanaged resources; false to releases only unmanaged resources.</param>
protected override void Dispose(bool disposing)
{
if (_disposed)
{
return;
}
if (Logging.IsEnabled)
{
Logging.Info(this, "Disposing");
}
if (disposing)
{
// _tpmDevice is owned by _tpm2, which will disposed it, but not if it is null
if (_tpm2 == null)
{
_tpmDevice?.Dispose();
_tpmDevice = null;
}
_tpm2.Dispose();
_tpm2 = null;
}
_disposed = true;
}
private string GetHeldData()
{
TpmHandle nvUriHandle = new TpmHandle(AIOTH_PERSISTED_URI_INDEX + logicalDeviceId);
Byte[] nvData;
string iotHubUri = "";
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Read the URI from the TPM
Byte[] name;
NvPublic nvPublic = tpm.NvReadPublic(nvUriHandle, out name);
nvData = tpm.NvRead(nvUriHandle, nvUriHandle, nvPublic.dataSize, 0);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(iotHubUri);
}
// Convert the data to a srting for output
iotHubUri = System.Text.Encoding.UTF8.GetString(nvData);
return(iotHubUri);
}
public static void SaveValueIntoTpm(int address, byte[] data, int length)
{
Tpm2Device tpmDevice;
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(System.Runtime.InteropServices.OSPlatform.Windows))
{
tpmDevice = new TbsDevice();
}
else
{
tpmDevice = new LinuxTpmDevice();
}
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
var ownerAuth = new AuthValue();
TpmHandle nvHandle = TpmHandle.NV(address);
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
AuthValue nvAuth = authValue;
var nvPublic = new NvPublic(nvHandle, TpmAlgId.Sha1, NvAttr.Authwrite | NvAttr.Authread, new byte[0], (ushort)length);
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, nvAuth, nvPublic);
tpm[nvAuth].NvWrite(nvHandle, nvHandle, data, 0);
tpm.Dispose();
}
/// <summary>
/// This sample illustrates the use of the resource manager built into
/// Tpm2Lib. Using the resource manager relieves the programmer of the
/// (sometimes burdensome) chore of juggling a small number of TPM slots
/// </summary>
/// <param name="tpm">Reference to the TPM object.</param>
static void ResourceManager(Tpm2 tpm)
{
//
// The Tbs device class has a built-in resource manager. We create an
// instance of the Tbs device class, but hook it up to the TCP device
// created above. We also tell the Tbs device class to clean the TPM
// before we start using it.
// This sample won't work on top of the default Windows resource manager
// (TBS).
//
var tbs = new Tbs(tpm._GetUnderlyingDevice(), false);
var tbsTpm = new Tpm2(tbs.CreateTbsContext());
//
// Make more sessions than the TPM has room for
//
const int count = 32;
var sessions = new AuthSession[count];
for (int j = 0; j < count; j++)
{
sessions[j] = tbsTpm.StartAuthSessionEx(TpmSe.Policy, TpmAlgId.Sha1);
}
Console.WriteLine("Created {0} sessions.", count);
//
// And now use them. The resource manager will use ContextLoad and
// ContextSave to bring them into the TPM
//
for (int j = 0; j < count; j++)
{
tbsTpm.PolicyAuthValue(sessions[j].Handle);
}
Console.WriteLine("Used {0} sessions.", count);
//
// And now clean up
//
for (int j = 0; j < count; j++)
{
tbsTpm.FlushContext(sessions[j].Handle);
}
Console.WriteLine("Cleaned up.");
//
// Dispose of the Tbs device object.
//
tbsTpm.Dispose();
}
protected override void Dispose(bool disposing)
{
if (disposing)
{
_tcpTpmDevice?.Dispose();
_tcpTpmDevice = null;
_tpm2?.Dispose();
_tpm2 = null;
_innerClient?.Dispose();
_innerClient = null;
}
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
static void Main()
{
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
ResetDALogic(tpm);
ResourceManager(tpm);
PowerAndLocality(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Releases the unmanaged resources used by the SecurityProviderTpmHsm and optionally disposes of the managed resources.
/// </summary>
/// <param name="disposing">true to release both managed and unmanaged resources; false to releases only unmanaged resources.</param>
protected override void Dispose(bool disposing)
{
if (disposed)
{
return;
}
if (Logging.IsEnabled)
{
Logging.Info(this, "Disposing");
}
if (disposing)
{
// _tpmDevice is owned by _tpm2 and will be disposed as well.
_tpm2.Dispose();
}
disposed = true;
}
public void Destroy()
{
TpmHandle nvHandle = new TpmHandle(AIOTH_PERSISTED_URI_INDEX + logicalDeviceId);
TpmHandle ownerHandle = new TpmHandle(TpmRh.Owner);
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Destyroy the URI
tpm.NvUndefineSpace(ownerHandle, nvHandle);
// Destroy the HMAC key
tpm.EvictControl(ownerHandle, hmacKeyHandle, hmacKeyHandle);
// Dispose of the TPM
tpm.Dispose();
}
/// <summary>
/// Releases the unmanaged resources used by the SecurityProviderTpmHsm and optionally disposes of the managed resources.
/// </summary>
/// <param name="disposing">true to release both managed and unmanaged resources; false to releases only unmanaged resources.</param>
protected override void Dispose(bool disposing)
{
if (disposed)
{
return;
}
if (Logging.IsEnabled)
{
Logging.Info(this, "Disposing");
}
if (disposing)
{
_tpm2?.Dispose();
_tpm2 = null;
_tpmDevice = null;
}
disposed = true;
}
public static byte[] ReadValueFromTpm(int address, int length)
{
Tpm2Device tpmDevice;
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(System.Runtime.InteropServices.OSPlatform.Windows))
{
tpmDevice = new TbsDevice();
}
else
{
tpmDevice = new LinuxTpmDevice();
}
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
TpmHandle nvHandle = TpmHandle.NV(address);
AuthValue nvAuth = authValue;
byte[] newData = tpm[nvAuth].NvRead(nvHandle, nvHandle, (ushort)length, 0);
tpm.Dispose();
return(newData);
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice = new TbsDevice();
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
//
// Run test
//
NvReadWriteWithOwnerAuth(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
Console.WriteLine("{0}", e.StackTrace);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
private void button_Click(object sender, Windows.UI.Xaml.RoutedEventArgs e)
{
try
{
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
NVReadWrite(tpm);
NVCounter(tpm);
tpm.Dispose();
}
catch (Exception ex)
{
this.textBlock.Text = "Exception occurred: " + ex.Message;
}
}
public static byte[] ReadData(int tailleData)
{
Tpm2Device tpmDevice;
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(System.Runtime.InteropServices.OSPlatform.Windows))
{
tpmDevice = new TbsDevice();
}
else
{
tpmDevice = new LinuxTpmDevice();
}
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
TpmHandle nvHandle = TpmHandle.NV(indexTMPSlot);
AuthValue nvAuth = nvAuthValue;
byte[] newData = tpm[nvAuth].NvRead(nvHandle, nvHandle, (ushort)tailleData, 0);
tpm.Dispose();
return(newData);
}
public string GetHardwareDeviceId()
{
TpmHandle srkHandle = new TpmHandle(SRK_HANDLE);
string hardwareDeviceId = "";
Byte[] name;
Byte[] qualifiedName;
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Read the URI from the TPM
TpmPublic srk = tpm.ReadPublic(srkHandle, out name, out qualifiedName);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hardwareDeviceId);
}
// Calculate the hardware device id for this logical device
byte[] deviceId = CryptoLib.HashData(TpmAlgId.Sha256, BitConverter.GetBytes(logicalDeviceId), name);
// Produce the output string
foreach (byte n in deviceId)
{
hardwareDeviceId += n.ToString("x2");
}
return(hardwareDeviceId);
}
/// <summary>
/// Executes the GetCapabilities functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the GetCapabilities
/// command on that connection. If the command was successful, the retrieved
/// capabilities are displayed.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// Query different capabilities
//
ICapabilitiesUnion caps;
tpm.GetCapability(Cap.Algs, 0, 1000, out caps);
var algsx = (AlgPropertyArray)caps;
Console.WriteLine("Supported algorithms:");
foreach (var alg in algsx.algProperties)
{
Console.WriteLine(" {0}", alg.alg.ToString());
}
Console.WriteLine("Supported commands:");
tpm.GetCapability(Cap.TpmProperties, (uint)Pt.TotalCommands, 1, out caps);
tpm.GetCapability(Cap.Commands, (uint)TpmCc.First + 1, TpmCc.Last - TpmCc.First + 1, out caps);
var commands = (CcaArray)caps;
List <TpmCc> implementedCc = new List <TpmCc>();
foreach (var attr in commands.commandAttributes)
{
var commandCode = (TpmCc)((uint)attr & 0x0000FFFFU);
//
// Filter placehoder(s)
//
if (commandCode == TpmCc.None)
{
continue;
}
implementedCc.Add(commandCode);
Console.WriteLine(" {0}", commandCode.ToString());
}
Console.WriteLine("Commands from spec not implemented:");
foreach (var cc in Enum.GetValues(typeof(TpmCc)))
{
if (!implementedCc.Contains((TpmCc)cc) &&
//
// Fiter placeholder(s)
//
((TpmCc)cc != TpmCc.None) &&
((TpmCc)cc != TpmCc.First) &&
((TpmCc)cc != TpmCc.Last))
{
Console.WriteLine(" {0}", cc.ToString());
}
}
//
// As an alternative: call GetCapabilities more than once to obtain all values
//
byte more;
var firstCommandCode = (uint)TpmCc.None;
do
{
more = tpm.GetCapability(Cap.Commands, firstCommandCode, 10, out caps);
commands = (CcaArray)caps;
//
// Commands are sorted; getting the last element as it will be the largest.
//
uint lastCommandCode = (uint)commands.commandAttributes[commands.commandAttributes.Length - 1] & 0x0000FFFFU;
firstCommandCode = lastCommandCode;
} while (more == 1);
//
// Read PCR attributes. Cap.Pcrs returns the list of PCRs which are supported
// in different PCR banks. The PCR banks are identified by the hash algorithm
// used to extend values into the PCRs of this bank.
//
tpm.GetCapability(Cap.Pcrs, 0, 255, out caps);
PcrSelection[] pcrs = ((PcrSelectionArray)caps).pcrSelections;
Console.WriteLine();
Console.WriteLine("Available PCR banks:");
foreach (PcrSelection pcrBank in pcrs)
{
var sb = new StringBuilder();
sb.AppendFormat("PCR bank for algorithm {0} has registers at index:", pcrBank.hash);
sb.AppendLine();
foreach (uint selectedPcr in pcrBank.GetSelectedPcrs())
{
sb.AppendFormat("{0},", selectedPcr);
}
Console.WriteLine(sb);
}
//
// Read PCR attributes. Cap.PcrProperties checks for certain properties of each PCR register.
//
tpm.GetCapability(Cap.PcrProperties, 0, 255, out caps);
Console.WriteLine();
Console.WriteLine("PCR attributes:");
TaggedPcrSelect[] pcrProperties = ((TaggedPcrPropertyArray)caps).pcrProperty;
foreach (TaggedPcrSelect pcrProperty in pcrProperties)
{
if ((PtPcr)pcrProperty.tag == PtPcr.None)
{
continue;
}
uint pcrIndex = 0;
var sb = new StringBuilder();
sb.AppendFormat("PCR property {0} supported by these registers: ", (PtPcr)pcrProperty.tag);
sb.AppendLine();
foreach (byte pcrBitmap in pcrProperty.pcrSelect)
{
for (int i = 0; i < 8; i++)
{
if ((pcrBitmap & (1 << i)) != 0)
{
sb.AppendFormat("{0},", pcrIndex);
}
pcrIndex++;
}
}
Console.WriteLine(sb);
}
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
NVReadWrite(tpm);
NVCounter(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// After parsing the arguments for the TPM device, the program executes a read
/// of the prior initialized NV index (3001). The program then outputs the 8 bytes
/// previously stored at that index.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
case DeviceLinux:
tpmDevice = new LinuxTpmDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
NVReadOnly(tpm);
// TPM clean up procedure
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Executes the hashing functionality. After parsing arguments, the
/// function connects to the selected TPM device and invokes the TPM
/// commands on that connection.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName = ParseArguments(args);
if (tpmDeviceName == null)
{
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSim:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
case DeviceLinux:
tpmDevice = new LinuxTpmDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
Pcrs(tpm);
QuotePcrs(tpm);
StorageRootKey(tpm);
//
// Need a synchronization event to avoid disposing TPM object before
// asynchronous method completed.
//
var sync = new AutoResetEvent(false);
Console.WriteLine("Calling asynchronous method.");
PrimarySigningKeyAsync(tpm, sync);
Console.WriteLine("Waiting for asynchronous method to complete.");
sync.WaitOne();
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// This sample demonstrates the creation of a signing "primary" key and use of this
/// key to sign data, and use of the TPM and Tpm2Lib to validate the signature.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
string tpmDeviceName;
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// Run individual tests.
//
SimplePolicy(tpm);
PolicyOr(tpm);
PolicySerialization();
PolicyEvaluationWithCallback(tpm);
PolicyEvaluationWithCallback2(tpm);
//
// Clean up.
//
tpm.Dispose();
}
catch (TpmException e)
{
//
// If a command fails because an unexpected return code is in the response,
// i.e., TPM returns an error code where success is expected or success
// where an error code is expected. Or if the response is malformed, then
// the unmarshaling code will throw a TPM exception.
// The Error string will contain a description of the return code. Usually the
// return code will be a known TPM return code. However, if using the TPM through
// TBS, TBS might encode internal error codes into the response code. For instance
// a return code of 0x80280400 indicates that a command is blocked by TBS. This
// error code is also returned if the command is not implemented by the TPM.
//
// You can see the information included in the TPM exception by removing the
// checks for available TPM commands above and running the sample on a TPM
// without the required commands.
//
Console.WriteLine("TPM exception occurred: {0}", e.ErrorString);
Console.WriteLine("Call stack: {0}", e.StackTrace);
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
public static void Main(string[] args)
{
try
{
// Keypair Generator
RsaKeyPairGenerator kpGenerator = new RsaKeyPairGenerator();
kpGenerator.Init(new KeyGenerationParameters(new SecureRandom(), 1024));
// Create a keypair
AsymmetricCipherKeyPair keys = kpGenerator.GenerateKeyPair();
// Connect to the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
Tpm2 tpm = new Tpm2(tpmDevice);
AuthValue ownerAuth = new AuthValue();
// Create a handle based on the hash of the cert thumbprint
ushort hashcode = (ushort)keys.GetHashCode();
TpmHandle nvHandle = TpmHandle.NV(hashcode);
// Clean up the slot
tpm[ownerAuth]._AllowErrors().NvUndefineSpace(TpmHandle.RhOwner, nvHandle);
// Export serial number, the "valid from" date (the cert will be valid for 1 year, so no need to store that date, too!), the size of the keys blob and the keys themselves
TextWriter textWriter = new StringWriter();
PemWriter pemWriter = new PemWriter(textWriter);
pemWriter.WriteObject(keys);
pemWriter.Writer.Flush();
byte[] rawData = Encoding.ASCII.GetBytes(textWriter.ToString().ToCharArray());
ushort size = (ushort)(sizeof(long) + sizeof(long) + rawData.Length + sizeof(int) + 64);
ushort offset = 0;
// Define a slot for the keys, which is 64 bytes bigger than we need as we write in 64-byte chunks
tpm[ownerAuth].NvDefineSpace(TpmHandle.RhOwner, ownerAuth, new NvPublic(nvHandle, TpmAlgId.Sha256, NvAttr.Authread | NvAttr.Authwrite, new byte[0], size));
// Write the serial number
tpm[ownerAuth].NvWrite(nvHandle, nvHandle, BitConverter.GetBytes(BigInteger.ProbablePrime(120, new Random()).LongValue), offset);
offset += sizeof(long);
// Write the "valid from" date (today) in FileTime format
tpm[ownerAuth].NvWrite(nvHandle, nvHandle, BitConverter.GetBytes(DateTime.Today.ToFileTime()), offset);
offset += sizeof(long);
// Write the size of the keys
tpm[ownerAuth].NvWrite(nvHandle, nvHandle, BitConverter.GetBytes(rawData.Length), offset);
offset += sizeof(int);
// Write the keys themselves (in 64-byte chunks)
byte[] dataToWrite = new byte[64];
int index = 0;
while (index < rawData.Length)
{
for (int i = 0; i < 64; i++)
{
if (index < rawData.Length)
{
dataToWrite[i] = rawData[index];
index++;
}
else
{
// fill the rest of the buffer with zeros
dataToWrite[i] = 0;
}
}
tpm[ownerAuth].NvWrite(nvHandle, nvHandle, dataToWrite, offset);
offset += 64;
}
tpm.Dispose();
Console.WriteLine("Keys successfully generated and copied to TPM. Hashcode=" + hashcode.ToString());
}
catch (Exception e)
{
Console.WriteLine("Could not generate or copy keys to TPM: " + e.Message);
}
}
public Byte[] SignHmac(Byte[] dataToSign)
{
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
int dataIndex = 0;
Byte[] iterationBuffer;
Byte[] hmac = { };
if (dataToSign.Length <= 1024)
{
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Calculate the HMAC in one shot
hmac = tpm.Hmac(hmacKeyHandle, dataToSign, TpmAlgId.Sha256);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
else
{
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Start the HMAC sequence
Byte[] hmacAuth = new byte[0];
TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256);
while (dataToSign.Length > dataIndex + 1024)
{
// Repeat to update the hmac until we only hace <=1024 bytes left
iterationBuffer = new Byte[1024];
Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, 1024);
tpm.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Finalize the hmac with the remainder of the data
iterationBuffer = new Byte[dataToSign.Length - dataIndex];
Array.Copy(dataToSign, dataIndex, iterationBuffer, 0, dataToSign.Length - dataIndex);
TkHashcheck nullChk;
hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer, TpmHandle.RhNull, out nullChk);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
return(hmac);
}
/// <summary>
/// This sample demonstrates the creation of a signing "primary" key and use of this
/// key to sign data, and use of the TPM and TSS.Net to validate the signature.
/// </summary>
/// <param name="args">Arguments to this program.</param>
static void Main(string[] args)
{
//
// Parse the program arguments. If the wrong arguments are given or
// are malformed, then instructions for usage are displayed and
// the program terminates.
//
string tpmDeviceName;
if (!ParseArguments(args, out tpmDeviceName))
{
WriteUsage();
return;
}
try
{
//
// Create the device according to the selected connection.
//
Tpm2Device tpmDevice;
switch (tpmDeviceName)
{
case DeviceSimulator:
tpmDevice = new TcpTpmDevice(DefaultSimulatorName, DefaultSimulatorPort);
break;
case DeviceWinTbs:
tpmDevice = new TbsDevice();
break;
default:
throw new Exception("Unknown device selected.");
}
//
// Connect to the TPM device. This function actually establishes the
// connection.
//
tpmDevice.Connect();
//
// Pass the device object used for communication to the TPM 2.0 object
// which provides the command interface.
//
var tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice)
{
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
}
//
// AuthValue encapsulates an authorization value: essentially a byte-array.
// OwnerAuth is the owner authorization value of the TPM-under-test. We
// assume that it (and other) auths are set to the default (null) value.
// If running on a real TPM, which has been provisioned by Windows, this
// value will be different. An administrator can retrieve the owner
// authorization value from the registry.
//
var ownerAuth = new AuthValue();
//
// The TPM needs a template that describes the parameters of the key
// or other object to be created. The template below instructs the TPM
// to create a new 2048-bit non-migratable signing key.
//
var keyTemplate = new TpmPublic(TpmAlgId.Sha1, // Name algorithm
ObjectAttr.UserWithAuth | ObjectAttr.Sign | // Signing key
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | // Non-migratable
ObjectAttr.SensitiveDataOrigin,
null, // No policy
new RsaParms(new SymDefObject(),
new SchemeRsassa(TpmAlgId.Sha1), 2048, 0),
new Tpm2bPublicKeyRsa());
//
// Authorization for the key we are about to create.
//
var keyAuth = new byte[] { 1, 2, 3 };
TpmPublic keyPublic;
CreationData creationData;
TkCreation creationTicket;
byte[] creationHash;
//
// Ask the TPM to create a new primary RSA signing key.
//
TpmHandle keyHandle = tpm[ownerAuth].CreatePrimary(
TpmRh.Owner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, null), // With this auth-value
keyTemplate, // Describes key
null, // Extra data for creation ticket
new PcrSelection[0], // Non-PCR-bound
out keyPublic, // PubKey and attributes
out creationData, out creationHash, out creationTicket); // Not used here
//
// Print out text-versions of the public key just created
//
Console.WriteLine("New public key\n" + keyPublic.ToString());
//
// Use the key to sign some data
//
byte[] message = Encoding.Unicode.GetBytes("ABC");
TpmHash digestToSign = TpmHash.FromData(TpmAlgId.Sha1, message);
//
// A different structure is returned for each signing scheme,
// so cast the interface to our signature type (see third argument).
//
// As an alternative, 'signature' can be of type ISignatureUnion and
// cast to SignatureRssa whenever a signature specific type is needed.
//
var signature = tpm[keyAuth].Sign(keyHandle, // Handle of signing key
digestToSign, // Data to sign
null, // Use key's scheme
TpmHashCheck.Null()) as SignatureRsassa;
//
// Print the signature.
//
Console.WriteLine("Signature: " + BitConverter.ToString(signature.sig));
//
// Use the TPM library to validate the signature
//
bool sigOk = keyPublic.VerifySignatureOverData(message, signature);
if (!sigOk)
{
throw new Exception("Signature did not validate.");
}
Console.WriteLine("Verified signature with TPM2lib (software implementation).");
//
// Load the public key into another slot in the TPM and then
// use the TPM to validate the signature
//
TpmHandle pubHandle = tpm.LoadExternal(null, keyPublic, TpmRh.Owner);
tpm.VerifySignature(pubHandle, digestToSign, signature);
Console.WriteLine("Verified signature with TPM.");
//
// The default behavior of Tpm2Lib is to create an exception if the
// signature does not validate. If an error is expected the library can
// be notified of this, or the exception can be turned into a value that
// can be later queried. The following are examples of this.
//
signature.sig[0] ^= 1;
tpm._ExpectError(TpmRc.Signature)
.VerifySignature(pubHandle, digestToSign, signature);
if (tpm._GetLastResponseCode() != TpmRc.Signature)
{
throw new Exception("TPM returned unexpected return code.");
}
Console.WriteLine("Verified that invalid signature causes TPM_RC_SIGNATURE return code.");
//
// Clean up of used handles.
//
tpm.FlushContext(keyHandle);
tpm.FlushContext(pubHandle);
//
// (Note that serialization is not supported on WinRT)
//
// Demonstrate the use of XML persistence by saving keyPublic to
// a file and making a copy by reading it back into a new object
//
// NOTE: 12-JAN-2016: May be removing support for policy
// serialization. We'd like to get feedback on whether
// this is a desirable feature and should be retained.
//
// {
// const string fileName = "sample.xml";
// string xmlVersionOfObject = keyPublic.GetXml();
// keyPublic.XmlSerializeToFile(fileName);
// var copyOfPublic = TpmStructureBase.XmlDeserializeFromFile<TpmPublic>(fileName);
//
// //
// // Demonstrate Tpm2Lib support of TPM-structure equality operators
// //
// if (copyOfPublic != keyPublic)
// {
// Console.WriteLine("Library bug persisting data.");
// }
// }
//
//
// Clean up.
//
tpm.Dispose();
}
catch (Exception e)
{
Console.WriteLine("Exception occurred: {0}", e.Message);
}
Console.WriteLine("Press Any Key to continue.");
Console.ReadLine();
}
/// <summary>
/// Funzione per la firma HMAC tramite TPM
/// </summary>
/// <param name="dataToAuth"></param>
/// <returns></returns>
public static Byte[] CalculateHmac(Byte[] dataToAuth)
{
TpmHandle hmacKeyHandle = new TpmHandle(AIOTH_PERSISTED_KEY_HANDLE + logicalDeviceId);
int dataIndex = 0;
Byte[] iterationBuffer;
Byte[] hmac = { };
// Se i valori da firmare sono < 1024 byte
if (dataToAuth.Length <= 1024)
{
try
{
// Apertura del TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Calcolo dell'HMAC tramite la funzione salvata in precedenza
hmac = tpm.Hmac(hmacKeyHandle, dataToAuth, TpmAlgId.Sha256);
// Dispose del TPM
tpm.Dispose();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
return(hmac);
}
}
else
{
try
{
// Apertura del TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Inizio della sequenza HMAC
Byte[] hmacAuth = new byte[0];
TpmHandle hmacHandle = tpm.HmacStart(hmacKeyHandle, hmacAuth, TpmAlgId.Sha256);
// ciclo su tutti i dati da firmare a blocchi da 1024 byte
while (dataToAuth.Length > dataIndex + 1024)
{
// Repeat to update the hmac until we only hace <=1024 bytes left
iterationBuffer = new Byte[1024];
Array.Copy(dataToAuth, dataIndex, iterationBuffer, 0, 1024);
// Caricamento dei dati nel tpm (calcolo parziale)
tpm.SequenceUpdate(hmacHandle, iterationBuffer);
dataIndex += 1024;
}
// Caricamento della parte finale
iterationBuffer = new Byte[dataToAuth.Length - dataIndex];
Array.Copy(dataToAuth, dataIndex, iterationBuffer,
0, dataToAuth.Length - dataIndex);
TkHashcheck nullChk;
// Si finalizza l'HMAC con l'ultima parte dei dati
hmac = tpm.SequenceComplete(hmacHandle, iterationBuffer,
TpmHandle.RhNull, out nullChk);
// Dispose del TPM
tpm.Dispose();
}
catch
{
return(hmac);
}
}
return(hmac);
}
