protected override TPMCommandResponse InternalProcess() { //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_UnBind); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint dataSize = _responseBlob.ReadUInt32(); byte[] responseData = new byte[dataSize]; _responseBlob.Read(responseData, 0, responseData.Length); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", responseData); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Unbind, responseParams); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_nonce, 0, 20); _pcrSelection.WriteToTpmBlob(requestBlob); _keyManager.LoadKey(_params.GetValueOf<string>("key")); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); // Do signature verification TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce); byte[] signingData; using (TPMBlob blob = new TPMBlob()) { quoteInfo.WriteToTpmBlob(blob); signingData = blob.ToArray(); } Parameters pubKeyParams = new Parameters(); pubKeyParams.AddPrimitiveType("key", _params.GetValueOf<string>("key")); TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams); TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest, _commandAuthHelper, _keyManager); if (pubKeyResponse.Status == false) { _log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key"); return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters()); } TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf<string>("key"))); TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf<TPMPubkey>("pubkey"); if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false) { throw new ArgumentException("The TPM_Quote signature could not be verified"); } Parameters responseParams = new Parameters(); responseParams.AddValue("pcrData", pcrComposite); responseParams.AddPrimitiveType("sig", signature); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _usageAuth = _params.GetValueOf<byte[]> ("usage_auth"); _migrationAuth = _params.GetValueOf<byte[]> ("migration_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_usageAuth, xorKey); ByteHelper.XORBytes(_migrationAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("parent")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey); //parent key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_usageAuth, 0, 20); requestBlob.Write(_migrationAuth, 0, 20); _tpmKey.WriteToTpmBlob(requestBlob); using(_keyManager.AcquireLock()) { AuthorizeMe(requestBlob); requestBlob.SkipHeader(); if(_params.GetValueOf<string>("parent") == KeyHandle.KEY_SRK) requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK); else requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMKeyCore newKey = new TPMKeyCore(_responseBlob); _responseParameters = new Parameters(); //Build and save the key identifier //The key identifier is the hex-string representation of the hash of the newly created key _responseParameters.AddPrimitiveType("key_identifier", ByteHelper.ByteArrayToHexString( new HashProvider().Hash( new HashByteDataProvider( ByteHelper.SerializeToBytes(newKey) ) ), "")); _responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters); }
protected override TPMCommandResponse InternalProcess() { // Unencrypted authorization values, they need to be XOR-Encrypted with // XOR(auth, SHA-1(OSAP shared secret | session nonce)) // // OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap) AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1); _encAuth = _params.GetValueOf<byte[]> ("data_auth"); byte[] xorKey = new HashProvider().Hash( new HashByteDataProvider(auth1OSAP.SharedSecret), new HashByteDataProvider(auth1OSAP.NonceEven)); ByteHelper.XORBytes(_encAuth, xorKey); //Load parent key if not loaded _keyManager.LoadKey(_params.GetValueOf<string>("key")); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.Write(_encAuth, 0, 20); TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo); requestBlob.WriteUInt32((uint)_inData.Length); requestBlob.Write(_inData, 0, _inData.Length); AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData)); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob (); requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_LoadKey2); //If not loaded load now if(_params.GetValueOf<bool>("parent_key_srk") == false) _keyManager.LoadKey(_params.GetValueOf<string>("parent_identifier")); //To be inserted later requestBlob.WriteUInt32 (0); _tpmKey.WriteToTpmBlob(requestBlob); //Blocking authorize, blocks till the user has entered the authorization data AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { _keyManager.EnsureFreeSlot(); uint tpmKeyHandle; if(_params.GetValueOf<bool>("parent_key_srk")) tpmKeyHandle = (uint)TPMKeyHandles.TPM_KH_SRK; else tpmKeyHandle = _keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent_identifier")).Handle; //Write key handle to the first position after the header requestBlob.SkipHeader(); requestBlob.WriteUInt32(tpmKeyHandle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint loadedTpmHandle = _responseBlob.ReadUInt32(); KeyHandle loadedHandle = new KeyHandle(_params.GetValueOf<string>("key_identifier"), loadedTpmHandle); _responseParameters = new Parameters(); _responseParameters.AddPrimitiveType("handle", loadedHandle); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadKey2, _responseParameters); }
protected override TPMCommandResponse InternalProcess() { TPMBlob requestBlob = new TPMBlob (); requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_GetPubKey); //If not loaded load now _keyManager.LoadKey(_params.GetValueOf<string>("key")); //KeyHandle To be inserted later requestBlob.WriteUInt32 (0); //Blocking authorize, blocks till the user has entered the authorization data AuthorizeMe(requestBlob); using(_keyManager.AcquireLock()) { //Write key handle to the first position after the header requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); TPMPubkeyCore pubKey = TPMPubkeyCore.CreateFromTPMBlob(_responseBlob); Parameters responseParams = new Parameters(); responseParams.AddValue("pubkey", pubKey); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetPubKey, responseParams); }
protected override TPMCommandResponse InternalProcess() { string key = _params.GetValueOf<string>("key"); _keyManager.LoadKey(key); TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(key)); if(keyInfo == null) throw new ArgumentException(string.Format("TPM_Sign could not retrieve keyinfo for key '{0}'", key)); byte[] areaToSign = null; if(keyInfo.AlgorithmParams.SigScheme == TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1) { //Client has hopefully put data in the right format ready for the tpm to process if(_params.IsDefined<byte[]>("areaToSign")) areaToSign = _params.GetValueOf<byte[]>("areaToSign"); //Client just sends data, tpm lib cares about the right, signature dependent, processing else if(_params.IsDefined<byte[]>("data")) { byte[] data = _params.GetValueOf<byte[]>("data"); areaToSign = new HashProvider().Hash(new HashByteDataProvider(data)); } if(areaToSign.Length != 20) { throw new ArgumentException(string.Format("Sig scheme '{0}' expects an area to sign with length 20!", keyInfo.AlgorithmParams.SigScheme)); } } else throw new ArgumentException(string.Format("TPM_Sign has not implemented signature scheme '{0}' for algorithm '{1}'", keyInfo.AlgorithmParams.SigScheme, keyInfo.AlgorithmParams.AlgorithmId)); TPMBlob requestBlob = new TPMBlob(); requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Sign); //key handle gets inserted later, it may be not available now requestBlob.WriteUInt32(0); requestBlob.WriteUInt32((uint)areaToSign.Length); requestBlob.Write(areaToSign, 0, areaToSign.Length); AuthorizeMe(requestBlob); using (_keyManager.AcquireLock()) { requestBlob.SkipHeader(); requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(key).Handle); _responseBlob = TransmitMe(requestBlob); } CheckResponseAuthInfo(); _responseBlob.SkipHeader(); uint sigSize = _responseBlob.ReadUInt32(); byte[] signature = _responseBlob.ReadBytes((int)sigSize); Parameters responseParams = new Parameters(); responseParams.AddPrimitiveType("sig", signature); return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Sign, responseParams); }